Defender anti-malware policy has admin notifications enabled for internal users sending malware
defender_malware_policy_notifications_internal_users_malware_enabled
Microsoft Defender for Office 365 anti-malware policies are checked for admin notifications on malware detected from internal senders, ensuring a valid notification address is defined (EnableInternalSenderAdminNotifications and InternalSenderAdminAddress).
Effective settings across default and custom policies are considered.
Risk
Without these notifications, malware sent from internal accounts can persist unnoticed, delaying response and containment. This undermines integrity of email, enables lateral movement and outbound propagation, and can cause domain reputation damage and blocklisting, affecting availability.
prowler m365 --checks defender_malware_policy_notifications_internal_users_malware_enabled
Recommendation
Enable and maintain admin alerts for internal-sender malware and route to a monitored mailbox or SOC list (EnableInternalSenderAdminNotifications and InternalSenderAdminAddress).
Ensure coverage via policy precedence, integrate with SIEM, and apply least privilege and defense in depth to limit impact.
Remediation
Set-MalwareFilterPolicy -Identity Default -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress "<ADMIN_EMAIL>"
- In the Microsoft Defender portal (security.microsoft.com), go to Email & collaboration > Policies & rules > Threat policies > Anti-malware
- Select the affected policy (e.g., Default) and click Edit policy
- Open Notifications
- Turn on "Notify an admin about undelivered messages from internal senders"
- Add at least one Administrator email address
- Save
Source Code
Resource Type
NotDefined