forked from cammurray/orca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck-ORCA241.ps1
110 lines (89 loc) · 4.39 KB
/
check-ORCA241.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
using module "..\ORCA.psm1"
class ORCA241 : ORCACheck
{
<#
Check for first contact safety tip
#>
ORCA241()
{
$this.Control=241
$this.Services=[ORCAService]::MDO
$this.Area="Microsoft Defender for Office 365 Policies"
$this.Name="First Contact Safety Tip"
$this.PassText="Anti-phishing policy exists and EnableFirstContactSafetyTips is true"
$this.FailRecommendation="Enable first contact safety tips to highlight suspicious messages to users."
$this.Importance="Attackers pretend to be other people in order to trick users. By enabling first contact safety tips, users are shown a visual representation on the email that this is the first time that they have received an email from this sender. This can trigger users in to being suspicious of an email if it they believe it is coming from someone they know."
$this.ExpandResults=$True
$this.CheckType=[CheckType]::ObjectPropertyValue
$this.ObjectType="Antiphishing Policy"
$this.ItemName="Setting"
$this.DataType="Current Value"
$this.ChiValue=[ORCACHI]::High
$this.Links= @{
"First Contact Safety Tip"="https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip"
"Microsoft 365 Defender Portal - Anti-phishing"="https://security.microsoft.com/antiphishing"
}
}
<#
RESULTS
#>
GetResults($Config)
{
$LegacyTRRule = $false;
$LegacyTRRuleName = "";
# Look for transport rule
ForEach($TransportRule in $Config["TransportRules"])
{
if($TransportRule.Mode -eq "Enforce" -and $TransportRule.State -eq "Enabled" -and $TransportRule.SetHeaderName -eq "X-MS-Exchange-EnableFirstContactSafetyTip" -and $TransportRule.SetHeaderValue -eq "enable")
{
# Must have no exceptions
if($TransportRule.Exceptions -eq $null -and $TransportRule.Conditions -eq $null)
{
$LegacyTRRule = $true;
$LegacyTRRuleName = $TransportRule.Name
}
}
}
ForEach ($Policy in $Config["AntiPhishPolicy"])
{
$IsPolicyDisabled = !$Config["PolicyStates"][$Policy.Guid.ToString()].Applies
$policyname = $Config["PolicyStates"][$Policy.Guid.ToString()].Name
# Check objects
$ConfigObject = [ORCACheckConfig]::new()
$ConfigObject.Object=$policyname
$ConfigObject.ConfigItem="EnableFirstContactSafetyTips"
$ConfigObject.ConfigData=$Policy.EnableFirstContactSafetyTips
$ConfigObject.ConfigDisabled = $Config["PolicyStates"][$Policy.Guid.ToString()].Disabled
$ConfigObject.ConfigWontApply = !$Config["PolicyStates"][$Policy.Guid.ToString()].Applies
$ConfigObject.ConfigReadonly=$Policy.IsPreset
$ConfigObject.ConfigPolicyGuid=$Policy.Guid.ToString()
If($Policy.EnableFirstContactSafetyTips -eq $true)
{
$ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass")
}
Else
{
if($LegacyTRRule -eq $true)
{
# Has a legacy transport rule in the tenant
$ConfigObject.SetResult([ORCAConfigLevel]::Standard,[ORCAResult]::Informational)
$ConfigObject.ConfigData="Disabled but enabled using legacy transport rule " + $LegacyTRRuleName
$ConfigObject.InfoText= "Transport Rules are a legacy way of applying this configuration, and we recommend moving to policies";
} else {
$ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")
}
}
# Add config to check
$this.AddConfig($ConfigObject)
}
If($Config["AnyPolicyState"][[PolicyType]::Antiphish] -eq $False)
{
$ConfigObject = [ORCACheckConfig]::new()
$ConfigObject.Object="No Enabled Policies"
$ConfigObject.ConfigItem="EnableFirstContactSafetyTips"
$ConfigObject.ConfigData="False"
$ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")
$this.AddConfig($ConfigObject)
}
}
}