Merge pull request #350 from maester365/AllowExternalInOutlook

Validate external sender identification
maester365 · Jul 14, 2024 · 43fc280 · 43fc280
2 parents 5277110 + e970fbc
commit 43fc280
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 12 deletions.
diff --git a/powershell/public/cisa/exchange/Test-MtCisaExternalSenderWarning.md b/powershell/public/cisa/exchange/Test-MtCisaExternalSenderWarning.md
@@ -2,8 +2,24 @@ External sender warnings SHALL be implemented.
 
 Rationale: Phishing is an ever-present threat. Alerting users when email originates from outside their organization can encourage them to exercise increased caution, especially if an email is one they expected from an internal sender.
 
+> ⚠️ WARNING: This test allows the use of a technical mechanism that differs from CISA's, though the outcome is the same.
+
 #### Remediation action:
 
+##### Option 1: Use external sender identification
+
+This feature is only available for Outlook, Outlook for Mac, Outlook on the web, and Outlook for iOS and Android.
+
+1. Connect to Exchange Online using PowerShell module `ExchangeOnlineManagement`
+2. Enable the feature with the cmdlet `Set-ExternalInOutlook`
+
+```powershell
+Connect-ExchangeOnline
+Set-ExternalInOutlook -Enabled $true
+```
+
+##### Option 2: Prepend subject with "[External]"
+
 To create a mail flow rule to produce external sender warnings:
 1. Sign in to the **Exchange admin center**.
 2. Under **Mail flow**, select [**Rules**](https://admin.exchange.microsoft.com/#/transportrules).
@@ -28,4 +44,4 @@ To create a mail flow rule to produce external sender warnings:
 * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/EXOConfig.rego#L405)
 
 <!--- Results --->
-%TestResult%
+%TestResult%
diff --git a/powershell/public/cisa/exchange/Test-MtCisaExternalSenderWarning.ps1 b/powershell/public/cisa/exchange/Test-MtCisaExternalSenderWarning.ps1
@@ -17,30 +17,38 @@ Function Test-MtCisaExternalSenderWarning {
     [OutputType([bool])]
     param()
 
-    if(!(Test-MtConnection ExchangeOnline)){
+    if (!(Test-MtConnection ExchangeOnline)) {
         Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
         return $null
     }
 
-    $rules = Get-TransportRule
+    $ExternalSenderIdentification = Get-ExternalInOutlook
 
-    $resultRules = $rules | Where-Object {`
-            $_.State -eq "Enabled" -and `
-            $_.Mode -eq "Enforce" -and `
-            $_.FromScope -eq "NotInOrganization" -and `
-            $_.SenderAddressLocation -eq "Header" -and `
-            $_.PrependSubject -like "*[External]*"
-    }
+    if ($ExternalSenderIdentification.Enabled -eq $true) {
+        $testResult = $true
+    } else {
+
+        $rules = Get-TransportRule
 
-    $testResult = ($resultRules | Measure-Object).Count -ge 1
+        $resultRules = $rules | Where-Object {`
+                $_.State -eq "Enabled" -and `
+                $_.Mode -eq "Enforce" -and `
+                $_.FromScope -eq "NotInOrganization" -and `
+                $_.SenderAddressLocation -eq "Header" -and `
+                $_.PrependSubject -like "*[External]*"
+        }
+
+        $testResult = ($resultRules | Measure-Object).Count -ge 1
+    }
 
     if ($testResult) {
         $testResultMarkdown = "Well done. Your tenant has an external sender warning.`n`n%TestResult%"
     } else {
         $testResultMarkdown = "Your tenant does not have an external sender warning.`n`n%TestResult%"
     }
 
-    if ($rules) { # Only show table if there are rules
+    if ($rules) {
+        # Only show table if there are rules
         $result = "| Policy Name | Test Result |`n"
         $result += "| --- | --- |`n"
         foreach ($item in $rules | Sort-Object -Property Name) {
@@ -52,6 +60,20 @@ Function Test-MtCisaExternalSenderWarning {
             $result += "| [$($item.Name)]($portalLink) | $($itemResult) |`n"
         }
     }
+
+    if ( $ExternalSenderIdentification.Enabled -eq $true ) {
+        $result = "Exchange External Sender Identification is enabled.`n`n"
+        if ( -not [string]::IsNullOrWhiteSpace($ExternalSenderIdentification.AllowList) ) {
+            $result += "The following domains are allowed to bypass the external sender warning:`n"
+            foreach ( $item in $ExternalSenderIdentification.AllowList ) {
+                $result += " * $item`n"
+            }
+        } else {
+            $result += "No domains are allowed to bypass the external sender warning.`n"
+
+        }
+    }
+
     $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result
 
     Add-MtTestResultDetail -Result $testResultMarkdown