chore(m365): enhance metadata for defender service (#9681)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -32,6 +32,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Oracle Cloud Identity service metadata to new format [(#9375)](https://github.com/prowler-cloud/prowler/pull/9375)
 - Update Alibaba Cloud services metadata to new format [(#10289)](https://github.com/prowler-cloud/prowler/pull/10289)
 - Update M365 Admin Center service metadata to new format [(#9680)](https://github.com/prowler-cloud/prowler/pull/9680)
+- Update M365 Defender service metadata to new format [(#9681)](https://github.com/prowler-cloud/prowler/pull/9681)
 
 ---
 

prowler/providers/m365/services/defender/defender_antiphishing_policy_configured/defender_antiphishing_policy_configured.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "m365",
   "CheckID": "defender_antiphishing_policy_configured",
-  "CheckTitle": "Ensure anti-phishing policies are properly configured and active.",
+  "CheckTitle": "Defender anti-phishing policy active, quarantines spoofed senders and DMARC reject/quarantine failures, honors DMARC policy, safety tips enabled",
   "CheckType": [],
   "ServiceName": "defender",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "Defender Anti-Phishing Policy",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "security",
-  "Description": "Ensure that anti-phishing policies are created and configured for specific users, groups, or domains, taking precedence over the default policy. This check verifies the existence of rules within policies and validates specific policy settings such as spoof intelligence, DMARC actions, safety tips, and unauthenticated sender actions.",
-  "Risk": "Without anti-phishing policies, organizations may rely solely on default settings, which might not adequately protect against phishing attacks targeted at specific users, groups, or domains. This increases the risk of successful phishing attempts and potential data breaches.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
+  "Description": "**Microsoft Defender for Office 365 anti-phishing policies** are evaluated for custom scoping to users, groups, or domains and precedence over the default, plus key settings: **spoof intelligence**, DMARC honoring, `quarantine` actions for spoof/DMARC, **safety tips**, unauthenticated sender indicators, and policy enablement.",
+  "Risk": "Missing or lax configuration lets **spoofed** and **impersonated** emails reach inboxes. Ignoring DMARC or not using `quarantine` enables delivery of fraudulent messages, driving **credential theft**, **BEC**, and **account takeover**, compromising data **confidentiality** and **integrity** and enabling lateral movement via mailbox rule abuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
+    "https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure",
+    "https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "$params = @{Name='<policy_name>';PhishThresholdLevel=3;EnableTargetedUserProtection=$true;EnableOrganizationDomainsProtection=$true;EnableMailboxIntelligence=$true;EnableMailboxIntelligenceProtection=$true;EnableSpoofIntelligence=$true;TargetedUserProtectionAction='Quarantine';TargetedDomainProtectionAction='Quarantine';MailboxIntelligenceProtectionAction='Quarantine';TargetedUserQuarantineTag='DefaultFullAccessWithNotificationPolicy';MailboxIntelligenceQuarantineTag='DefaultFullAccessWithNotificationPolicy';TargetedDomainQuarantineTag='DefaultFullAccessWithNotificationPolicy';EnableFirstContactSafetyTips=$true;EnableSimilarUsersSafetyTips=$true;EnableSimilarDomainsSafetyTips=$true;EnableUnusualCharactersSafetyTips=$true;HonorDmarcPolicy=$true}; New-AntiPhishPolicy @params; New-AntiPhishRule -Name $params.Name -AntiPhishPolicy $params.Name -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-phishing 5. Ensure policies have rules with the state set to 'on' and validate settings: spoof intelligence enabled, spoof intelligence action set to 'Quarantine', DMARC reject and quarantine actions, safety tips enabled, unauthenticated sender action enabled, show tag enabled, and honor DMARC policy enabled. If not, modify them to be as recommended.",
+      "Other": "1. Go to Microsoft 365 Defender: https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Anti-phishing\n2. Open the Default anti-phishing policy and click Edit\n3. Spoof settings: ensure Enable spoof intelligence is On and set If the message is detected as spoof by spoof intelligence to Quarantine\n4. DMARC: turn On Honor DMARC record policy and set both actions to Quarantine:\n   - If DMARC policy is p=quarantine: Quarantine\n   - If DMARC policy is p=reject: Quarantine\n5. Safety tips & indicators: turn On Show first contact safety tip, Show (?) for unauthenticated senders for spoof, and Show \"via\" tag\n6. Save changes\n7. If using custom anti-phishing policies, ensure their rule Status is On",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Create and configure anti-phishing policies for specific users, groups, or domains to enhance protection against phishing attacks.",
-      "Url": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"
+      "Text": "Apply **defense in depth** for email:\n- Create high-priority custom policies for sensitive users/groups/domains\n- Enable **spoof intelligence**; honor DMARC (`p=quarantine`, `p=reject`) with `quarantine` actions\n- Turn on **safety tips** and unauthenticated sender tags\n- Review policy precedence, scope, and thresholds regularly to minimize false positives",
+      "Url": "https://hub.prowler.com/check/defender_antiphishing_policy_configured"
     }
   },
   "Categories": [
+    "email-security",
     "e5"
   ],
   "DependsOn": [],

prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_empty_ip_allowlist/defender_antispam_connection_filter_policy_empty_ip_allowlist.metadata.json

@@ -1,30 +1,34 @@
 {
   "Provider": "m365",
   "CheckID": "defender_antispam_connection_filter_policy_empty_ip_allowlist",
-  "CheckTitle": "Ensure the Anti-Spam Connection Filter Policy IP Allowlist is empty or undefined.",
+  "CheckTitle": "Defender Antispam Connection Filter Policy IP Allowlist is empty or undefined",
   "CheckType": [],
   "ServiceName": "defender",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Defender Anti-Spam Policy",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "security",
-  "Description": "This check focuses on Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations. It ensures that the connection filter policy's IP Allowlist is empty or undefined to prevent bypassing spam filtering and sender authentication checks, which could lead to successful delivery of malicious emails.",
-  "Risk": "Using the IP Allowlist without additional verification like mail flow rules poses a risk, as emails from these sources skip essential security checks (SPF, DKIM, DMARC). This could allow attackers to deliver harmful emails directly to the Inbox.",
+  "Description": "**Microsoft Defender connection filter policy** is evaluated to determine whether the **IP Allowlist** (`IPAllowList`) is configured. The finding indicates if any IP addresses are present in the policy's allow list for Exchange Online or standalone EOP environments.",
+  "Risk": "Allowlisted IPs bypass **SPF**, **DKIM**, **DMARC** and antispam, enabling **phishing** and **spoofing** that steal credentials (confidentiality), deliver **malware** or fraudulent mail (integrity), and cause **inbox flooding** (availability). Attackers can abuse compromised or shared relays on those IPs to deliver malicious mail.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/powershell/module/exchange/set-hostedconnectionfilterpolicy?view=exchange-ps"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{}",
+      "CLI": "Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList $null",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-spam and click on the Connection filter policy (Default). 5. Remove IP entries from the allow list. 6. Click Save.",
+      "Other": "1. Go to https://security.microsoft.com and sign in\n2. Email & collaboration > Policies & rules > Threat policies\n3. Open Anti-spam > Connection filter policy (Default)\n4. Edit the IP allow list and remove all entries\n5. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure that the IP Allowlist in your connection filter policy is empty or undefined to prevent bypassing essential security checks.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-hostedconnectionfilterpolicy?view=exchange-ps"
+      "Text": "Keep the **IP Allowlist** empty. Rely on layered controls: **SPF**, **DKIM**, **DMARC**, connection filtering, and content scanning. *If an exception is unavoidable*, apply **defense in depth** (sender auth, TLS, reputation checks, and tight scope/time limits) and prefer domain- or certificate-based trust over static IPs. Monitor delivery logs for abuse.",
+      "Url": "https://hub.prowler.com/check/defender_antispam_connection_filter_policy_empty_ip_allowlist"
     }
   },
   "Categories": [
+    "email-security",
     "e3"
   ],
   "DependsOn": [],

prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_safe_list_off/defender_antispam_connection_filter_policy_safe_list_off.metadata.json

@@ -1,30 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "defender_antispam_connection_filter_policy_safe_list_off",
-  "CheckTitle": "Ensure the default connection filter policy has the SafeList setting disabled",
+  "CheckTitle": "Defender Antispam Connection Filter Policy has Safe List disabled",
   "CheckType": [],
   "ServiceName": "defender",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Defender Anti-Spam Policy",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "security",
-  "Description": "This check ensures that the EnableSafeList setting in the default connection filter policy is set to False. The safe list, managed dynamically by Microsoft, allows emails from listed IPs to bypass spam filtering and sender authentication checks, posing a security risk.",
-  "Risk": "If the safe list is enabled, emails from IPs on this list can bypass essential security checks (SPF, DKIM, DMARC), potentially allowing malicious emails to be delivered directly to users' inboxes.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure",
+  "Description": "**Microsoft Defender for Office 365 connection filter policy** safe list setting is evaluated. When enabled, mail from Microsoft-managed IPs skips spam filtering and some sender authentication. The finding indicates whether this implicit bypass is turned off.",
+  "Risk": "With the safe list on, inbound mail can bypass SPF/DKIM/DMARC and spam heuristics, allowing spoofed or phishing messages to reach inboxes. This risks credential theft (confidentiality), enables account takeover and tampering (integrity), and may lead to malware-driven outages (availability).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure",
+    "https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-HostedConnectionFilterPolicy -Identity Default -EnableSafeList $false",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-spam and click on the Connection filter policy (Default). 5. Disable the safe list option. 6. Click Save.",
+      "Other": "1. Go to https://security.microsoft.com/antispam\n2. Select Connection filter policy (Default)\n3. Click Edit connection filter policy\n4. Uncheck Turn on safe list\n5. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure that the EnableSafeList setting in your connection filter policy is set to False to prevent bypassing essential security checks.",
-      "Url": "https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list"
+      "Text": "Disable the **safe list** (`EnableSafeList=false`). Favor **allow-by-exception**: use the **Tenant Allow/Block List** or tightly scoped IPs only when necessary and validated by strong **email authentication**. Apply **least privilege**, review exceptions regularly, and layer **defense in depth** with anti-phishing and monitoring.",
+      "Url": "https://hub.prowler.com/check/defender_antispam_connection_filter_policy_safe_list_off"
     }
   },
   "Categories": [
+    "email-security",
     "e3"
   ],
   "DependsOn": [],

prowler/providers/m365/services/defender/defender_antispam_outbound_policy_configured/defender_antispam_outbound_policy_configured.metadata.json

@@ -1,30 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "defender_antispam_outbound_policy_configured",
-  "CheckTitle": "Ensure Defender Outbound Spam Policies are set to notify administrators.",
+  "CheckTitle": "Defender outbound spam policy is configured to notify recipients when senders are blocked or exceed sending limits",
   "CheckType": [],
   "ServiceName": "defender",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "Defender Anti-Spam Outbound Policy",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "security",
-  "Description": "Ensure that outbound anti-spam policies are configured to notify administrators and copy suspicious outbound messages to designated recipients when a sender is blocked for sending spam emails.",
-  "Risk": "Without outbound spam notifications and message copies, compromised accounts may go undetected, increasing the risk of reputation damage or data leakage through unauthorized email activity.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about",
+  "Description": "**Microsoft Defender for Office 365 outbound spam policies** must send **administrator alerts** and Bcc **suspicious outbound messages** when a sender exceeds limits or is blocked. The assessment checks for `notify limit exceeded` and `notify sender blocked` with recipient addresses in the default policy and any applicable custom policies.",
+  "Risk": "Absent alerts and copies, **compromised mailboxes** can exfiltrate data and send phishing undetected. This harms **email deliverability** through blocklisting and throttling (**availability**), undermines domain **integrity**, and impedes **forensics** by removing evidence needed to triage abusive outbound traffic.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about",
+    "https://learn.microsoft.com/is-is/defender-office-365/outbound-spam-policies-configure"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "$BccEmailAddress = @(\"<INSERT-EMAIL>\")\n$NotifyEmailAddress = @(\"<INSERT-EMAIL>\")\nSet-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress",
+      "CLI": "Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundMail $true -BccSuspiciousOutboundAdditionalRecipients \"<INSERT-EMAIL>\" -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients \"<INSERT-EMAIL>\"",
       "NativeIaC": "",
-      "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules > Threat policies. 3. Under Policies, select Anti-spam. 4. Click on the Anti-spam outbound policy (default). 5. Select Edit protection settings then under Notifications: 6. Check 'Send a copy of suspicious outbound messages or message that exceed these limits to these users and groups' and enter the email addresses. 7. Check 'Notify these users and groups if a sender is blocked due to sending outbound spam' and enter the desired email addresses. 8. Click Save.",
+      "Other": "1. Sign in to Microsoft 365 Defender: https://security.microsoft.com\n2. Go to Email & collaboration > Policies & rules > Threat policies > Anti-spam\n3. Open Anti-spam outbound policy (Default) and select Edit protection settings\n4. Under Notifications:\n   - Check \"Send a copy of suspicious outbound messages or messages that exceed these limits to these users and groups\" and add <EMAIL>\n   - Check \"Notify these users and groups if a sender is blocked due to sending outbound spam\" and add <EMAIL>\n5. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Configure Defender outbound spam filter policies to notify administrators and copy suspicious outbound messages when users are blocked for sending spam.",
-      "Url": "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about"
+      "Text": "Enable outbound spam notifications and Bcc suspicious messages to a monitored mailbox, applying them consistently to default and scoped policies. Set prudent sending limits and block actions, disable unnecessary external forwarding, and monitor alerts-aligning with **least privilege** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/defender_antispam_outbound_policy_configured"
     }
   },
   "Categories": [
+    "email-security",
     "e3"
   ],
   "DependsOn": [],