Transport rule does not whitelist any domains
exchange_transport_rules_whitelist_disabled
Microsoft 365 Exchange Online mail flow rules that whitelist specific sender domains by forcing SCL to -1 (skip spam filtering) on matching messages
Risk
Domain-based whitelisting skips anti-spam/phish analysis, allowing spoofed or compromised senders to reach the Inbox. This increases targeted phishing, BEC, and credential theft, enabling unauthorized access and data exfiltration, degrading confidentiality and integrity.
prowler m365 --checks exchange_transport_rules_whitelist_disabled
Recommendation
Avoid blanket whitelisting. Do not set SCL to -1 based solely on sender domain.
- Prefer controlled allow mechanisms with review/expiry; keep anti-spam/phish active
- If exceptions are unavoidable, apply least privilege: add strong conditions (auth results, known source IPs), narrow scope, time-bound, and monitor
Remediation
Set-TransportRule -Identity <RuleName> -SetSCL 0
- Open the Exchange admin center: https://admin.exchange.microsoft.com
- Go to Mail flow > Rules
- Edit any rule that has: condition "The sender domain is" AND action "Set the spam confidence level (SCL) = Bypass spam filtering"
- In Do the following, change "Set the spam confidence level (SCL)" from Bypass spam filtering to 0 (or remove the action)
- Click Save
Source Code
Resource Type
NotDefined
References
- https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl
- https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/configuration-best-practices
- https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules