Removing Exempted Mail Domains [CHK-1061]
Mail flow rules, also known as Transport rules, are used within Exchange Online to check emails for malware and phishing when they are sent from sender to recipient. A domain can be excluded from these security checks, which could potentially be misused by attackers to remain unnoticed.
Rationale
Exempting domains in transport rules bypasses malware and phishing scanning. This could allow a malicious actor to launch attacks from a domain that is assumed to be safe.
Fix
An automated fix is not available for this check. To fix it yourself, follow these steps:
- Navigate to the Exchange admin center at https://admin.exchange.microsoft.com
- Expand Mail Flow and select Rules
- Click on the Delete icon for each rule that exempts specific domains
Impact
Be cautious when removing exempted domains to ensure there are no legitimate business needs for exceptions. Removing all exempted domains may affect incoming email, although modern systems that send legitimate email should not have issues with scanning.
CIS Mapping
- CIS Item: 4.4 (L1) Ensure mail transport rules do not whitelist specific domains (Automated)
- Profile: E3 Level 1
More Information
For more information, visit these links: