Inbound anti-spam policy does not contain allowed domains
defender_antispam_policy_inbound_no_allowed_domains
Microsoft Defender for Office 365 inbound anti-spam policies are evaluated for domains listed in AllowedSenderDomains.
The finding identifies any policy where this list is populated rather than empty.
Risk
Populating AllowedSenderDomains makes messages from those domains skip spam filtering and email authentication (SPF, DKIM, DMARC), often delivered with SCL -1. Attackers can spoof such domains to phish credentials, enable BEC, and alter mailboxes, undermining confidentiality and integrity.
prowler m365 --checks defender_antispam_policy_inbound_no_allowed_domains
Recommendation
- Keep
AllowedSenderDomainsempty. - Use narrowly scoped allow logic that requires authentication alignment and additional conditions (sender, IP, headers).
- Make any exceptions temporary and reviewed.
Apply least privilege and defense in depth to email trust decisions.
Remediation
Set-HostedContentFilterPolicy -Identity <Policy name> -AllowedSenderDomains $null
- Open Microsoft 365 Defender: https://security.microsoft.com/antispam
- Open each inbound anti-spam policy (Default and any custom).
- Click Edit allowed and blocked senders and domains.
- Select Allow domains.
- Remove all domains, then click Done and Save.
- Repeat for any remaining inbound anti-spam policies.
Source Code
Resource Type
NotDefined
References
- https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-hostedcontentfilterpolicy?view=exchange-ps
- https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure
- https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about#allow-and-block-lists-in-anti-spam-policies