Check: MSDE-00-000200
Microsoft Defender for Endpoint STIG:
MSDE-00-000200
(in version v1 r0.1)
Title
Microsoft Defender Endpoint (MDE) must enable Safe Attachments. (Cat II impact)
Discussion
The Safe Attachments feature will scan messages for attachments with malicious content. All messages with attachments not already flagged by anti-malware protections in EOP are downloaded to a Microsoft virtual environment for further analysis. Safe Attachments then uses machine learning and other analysis techniques to detect malicious intent. While Safe Attachments for Exchange Online is automatically configured in the preset policies, separate action is needed to enable it for other products. Satisfies: SRG-APP-000209, SRG-APP-000112, SRG-APP-000206
Check Content
Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select Safe Attachments (under policies). 3. Verify a policy has been configured as defined by the AO and the Status is "On". If no policy has been configured and set to "On", this is a finding.
Fix Text
Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Email & collaboration >> Threat policies (under Policies & rules). 2. Select "Safe Attachments" (under policies). 3. Create and enable a policy as defined by the AO.
Additional Identifiers
Rule ID: SV-272884r1085732_rule
Vulnerability ID: V-272884
Group Title: SRG-APP-000209
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001166 |
Identify organization-defined unacceptable mobile code. |
| CCI-001169 |
Prevent the download of organization-defined unacceptable mobile code. |
| CCI-001695 |
Prevent the execution of organization-defined unacceptable mobile code. |