6.2.2 Ensure mail transport rules do not whitelist specific domains


Mail flow rules (transport rules) in Exchange Online are used to identify and take action on messages that flow through the organization.


Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.


Care should be taken before implementation to ensure there is no business need for case-by-case whitelisting. Removing all whitelisted domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To alter the mail transport rules so they do not whitelist any specific domains:

Navigate to Exchange admin center https://admin.exchange.microsoft.com..

Click to expand Mail Flow and then select Rules.

For each rule that whitelists specific domains, select the rule and click the 'Delete' icon.

To remove mail transport rules using PowerShell:

Connect to Exchange online using Connect-ExchangeOnline.

Run the following PowerShell command:

Remove-TransportRule {RuleName}

Verify the rules no longer exists.

Get-TransportRule | Where-Object {($_.setscl -eq -1 -and $_.SenderDomainIs -ne $null)} | ft Name,SenderDomainIs

See Also


Item Details


References: 800-53|CM-6b., CSCv7|7

Plugin: microsoft_azure

Control ID: 8fe8d6c0fc311c3c7aedd6f3c5297bf658e0e3c8c28cda3d6c2ebcecd558e114