An error occurred:

Check: MSDE-00-000250

Microsoft Defender for Endpoint STIG: MSDE-00-000250 (in version v1 r0.1)

Title

Microsoft Defender Endpoint (MDE) must enable Impersonation protection. (Cat II impact)

Discussion

Impersonation protection checks incoming emails to verify if the sender address is similar to the users or domains on an agency-defined list. If the sender address is significantly similar, as to indicate an impersonation attempt, the email is quarantined. Satisfies: SRG-APP-000210, SRG-APP-000272

Check Content

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select "Preset Security Policies" (under Templated policies). 3. Under Standard protection, verify the slide bar shows "Standard protection is on". 4. Under Strict protection, verify the slide bar shows "Strict protection is on". If the slide bar shows "Standard protection is off" or "Strict protection is off", this is a finding.

Fix Text

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select "Preset Security Policies" (under Templated policies). 3. For both Standard protection and Strict protection, complete the following: - Click "Manage protection settings". - Under "Apply Exchange Online Protection", select recipients as defined by the authorizing official (AO). - Click "Manage protection settings". - Under "Apply Exchange Online Protection", select recipients as defined by the AO. - Click "Next". - Under "Apply Defender for Office 365 protection", select recipients as defined by the AO and then click "Next". - Under "Impersonation protection", click "Next". - Configure users, groups, and domains as defined by the AO and then click "Next". - Under Policy mode, select the "Turn policy on when finished" radio button. Click "Next" and then click "Confirm".

Additional Identifiers

Rule ID: SV-272885r1085735_rule

Vulnerability ID: V-272885

Group Title: SRG-APP-000210

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001170

Prevents the automatic execution of mobile code in organization-defined software applications.
CCI-004964

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-18(4)

Prevent Automatic Execution