4.4 Ensure mail transport rules do not whitelist specific domains

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

You should set your Exchange Online mail transport rules so they do not whitelist any specific domains.

Rationale:

Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.

Impact:

Care should be taken before implementation to ensure there is no business need for case-by-case whitelisting. Removing all whitelisted domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To alter the mail transport rules so they do not whitelist any specific domains, use the Microsoft 365 Admin Center:

Select Exchange.

Select Mail Flow and Rules.

For each rule that whitelists specific domains, select the rule and click the 'Delete' icon.

To remove mail transport rules you may also use the Exchange Online PowerShell:

Connect to Exchange online using Connect-ExchangeOnline.

Run the following PowerShell command:

Remove-TransportRule {RuleName}

Verify the rules no longer exists.

Get-TransportRule | Where-Object {($_.setscl -eq -1 -and $_.SenderDomainIs -ne $null)} | ft Name,SenderDomainIs

See Also

https://workbench.cisecurity.org/files/4073