Description
- Type: CUSTOMER
- Severity: WARNING
- Protection against: SOCIAL ENGINEERING
- CIS: M365 4.14 - (L1) Ensure notifications for internal users sending malware is Enabled
- FIX Available: YES
This Customer Check attempts to determine if emails between internal employees that are flagged as spam by Microsoft Exchange are forwarded to an administrator.
Why this check?
We often think of spam as something to spend as little time on as possible. But if it comes from within the internal organization, it is an indicator that there might be more going on. For example:
- Someone has gained unauthorized access to a colleague's mailbox and is now trying to deceive other colleagues, for instance, into making payments (BEC fraud). (this scenario forms the basis for WCGW categorization).
- A computer in your organization is infected with malware that aims to send spam.
CIS Benchmarks
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 4.14 - (L1) Ensure notifications for internal users sending malware is Enabled
What possible outcomes does the check have?
This check has three possible outcomes. In Attic, this is reflected as follows:
- Okay: The policy to forward spam within the internal organization to an administrator is correctly configured
- Warning: In this case, the policy to forward internal spam to an administrator is not active
How should this be followed up?
If the output is Warning, we advise enabling the spam policy (EnableInternalSenderAdminNotifications).
A Fix is available for this check, which we will offer via Attic.
Comments
0 comments
Please sign in to leave a comment.