Detections
Analytics
2.4.2 Ensure Priority accounts have 'Strict protection' presets applied
Information
Preset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable.Strict protection has the most aggressive protection of the 3 presets.
EOP: Anti-spam, Anti-malware and Anti-phishing
Defender: Spoof protection, Impersonation protection and Advanced phishing
Defender: Safe Links and Safe Attachments
NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead.
Rationale:
Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise.
The implementation of stringent, pre-defined policies may result in instances of false positive, however, the benefit of requiring the end-user to preview junk email before accessing their inbox outweighs the potential risk of mistakenly perceiving a malicious email as safe due to its placement in the inbox.
Impact:
Strict policies are more likely to cause false positives in anti-spam, phishing, impersonation, spoofing and intelligence responses.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Enable strict preset security policies for Priority accounts:Navigate to Microsoft 365 Defender https://security.microsoft.com/
Select to expand E-mail & collaboration.
Select Policies & rules > Threat policies > Preset security policies.
Click to Manage protection settings for Strict protection preset.
For Apply Exchange Online Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts.
For Apply Defender for Office 365 Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts.
For Impersonation protection click Next and add valid e-mails or priority accounts both internal and external that may be subject to impersonation.
For Protected custom domains add the organization's domain name, along side other key partners.
Click Next and finally Confirm
Default Value:
By default presets are not applied to any users or groups.
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E5 L1 v3.0.0
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-3, 800-53|SI-4, 800-53|SI-8, 800-53|SI-16
Plugin: microsoft_azure
Control ID: b6b935ff236212761916815d0403b90badbcc46045f3d566196c20fbccb2c43f