forked from cammurray/orca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck-ORCA118_4.ps1
116 lines (93 loc) · 5.31 KB
/
check-ORCA118_4.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
using module "..\ORCA.psm1"
class ORCA118_4 : ORCACheck
{
<#
CONSTRUCTOR with Check Header Data
#>
ORCA118_4()
{
$this.Control="118-4"
$this.Area="Transport Rules"
$this.Name="Domain Allow Listing"
$this.PassText="Your own domains are not being allow listed in an unsafe manner"
$this.FailRecommendation="Remove allow listing on domains belonging to your organisation"
$this.Importance="Emails coming from allow listed domains bypass several layers of protection within Exchange Online Protection. When allow listing your own domains, an attacker can spoof any account in your organisation that has this domain. This is a significant phishing attack vector."
$this.ExpandResults=$True
$this.CheckType=[CheckType]::ObjectPropertyValue
$this.ObjectType="Transport Rule"
$this.ItemName="Condition"
$this.DataType="Allow Listed Address"
$this.ChiValue=[ORCACHI]::Critical
$this.Links= @{
"Exchange admin center in Exchange Online"="https://outlook.office365.com/ecp/"
"Using Exchange Transport Rules (ETRs) to allow specific senders"="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#using-exchange-transport-rules-etrs-to-allow-specific-senders-recommended"
}
}
<#
RESULTS
#>
GetResults($Config)
{
$Check = "Transport Rule SCL"
# Look through Transport Rule for an action SetSCL -1
ForEach($TransportRule in $Config["TransportRules"])
{
If($TransportRule.SetSCL -eq "-1")
{
#Rules that apply to the sender domain
#From Address notmatch is to include if just domain name is value
If($TransportRule.SenderDomainIs -ne $null -or ($TransportRule.FromAddressContainsWords -ne $null -and $TransportRule.FromAddressContainsWords -notmatch ".+@") -or ($TransportRule.FromAddressMatchesPatterns -ne $null -and $TransportRule.FromAddressMatchesPatterns -notmatch ".+@"))
{
#Look for condition that checks auth results header and its value
If(($TransportRule.HeaderContainsMessageHeader -eq 'Authentication-Results' -and $TransportRule.HeaderContainsWords -ne $null) -or ($TransportRule.HeaderMatchesMessageHeader -like '*Authentication-Results*' -and $TransportRule.HeaderMatchesPatterns -ne $null))
{
# OK
}
#Look for exception that checks auth results header and its value
elseif(($TransportRule.ExceptIfHeaderContainsMessageHeader -eq 'Authentication-Results' -and $TransportRule.ExceptIfHeaderContainsWords -ne $null) -or ($TransportRule.ExceptIfHeaderMatchesMessageHeader -like '*Authentication-Results*' -and $TransportRule.ExceptIfHeaderMatchesPatterns -ne $null))
{
# OK
}
elseif($TransportRule.SenderIpRanges -ne $null)
{
# OK
}
#Look for condition that checks for any other header and its value
else
{
ForEach($RuleDomain in $($TransportRule.SenderDomainIs))
{
# Is this domain an organisation domain?
If(@($Config["AcceptedDomains"] | Where-Object {$_.Name -eq $RuleDomain}).Count -gt 0)
{
# Check objects
$ConfigObject = [ORCACheckConfig]::new()
$ConfigObject.Object=$($TransportRule.Name)
$ConfigObject.ConfigItem="From Domain"
$ConfigObject.ConfigData=$($RuleDomain)
$ConfigObject.ConfigDisabled=$($TransportRule.State -eq "Disabled")
$ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")
$this.AddConfig($ConfigObject)
}
}
ForEach($FromAddressContains in $($TransportRule.FromAddressContainsWords))
{
# Is this domain an organisation domain?
If(@($Config["AcceptedDomains"] | Where-Object {$_.Name -eq $FromAddressContains}).Count -gt 0)
{
# Check objects
$ConfigObject = [ORCACheckConfig]::new()
$ConfigObject.Object=$($TransportRule.Name)
$ConfigObject.ConfigItem="From Contains"
$ConfigObject.ConfigDisabled=$($TransportRule.State -eq "Disabled")
$ConfigObject."$($FromAddressContains)"
$ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")
$this.AddConfig($ConfigObject)
}
}
}
}
}
}
}
}