Defender outbound spam policy is configured to notify recipients when senders are blocked or exceed sending limits
defender_antispam_outbound_policy_configured
Microsoft Defender for Office 365 outbound spam policies must send administrator alerts and Bcc suspicious outbound messages when a sender exceeds limits or is blocked. The assessment checks for notify limit exceeded and notify sender blocked with recipient addresses in the default policy and any applicable custom policies.
Risk
Absent alerts and copies, compromised mailboxes can exfiltrate data and send phishing undetected. This harms email deliverability through blocklisting and throttling (availability), undermines domain integrity, and impedes forensics by removing evidence needed to triage abusive outbound traffic.
prowler m365 --checks defender_antispam_outbound_policy_configured
Recommendation
Enable outbound spam notifications and Bcc suspicious messages to a monitored mailbox, applying them consistently to default and scoped policies. Set prudent sending limits and block actions, disable unnecessary external forwarding, and monitor alerts-aligning with least privilege and defense in depth.
Remediation
Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundMail $true -BccSuspiciousOutboundAdditionalRecipients "<INSERT-EMAIL>" -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients "<INSERT-EMAIL>"
- Sign in to Microsoft 365 Defender: https://security.microsoft.com
- Go to Email & collaboration > Policies & rules > Threat policies > Anti-spam
- Open Anti-spam outbound policy (Default) and select Edit protection settings
- Under Notifications:
- Check "Send a copy of suspicious outbound messages or messages that exceed these limits to these users and groups" and add <EMAIL>
- Check "Notify these users and groups if a sender is blocked due to sending outbound spam" and add <EMAIL>
- Click Save
Source Code
Resource Type
NotDefined