cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.79k stars 230 forks source link

ScubaGear does not check for the prevention of users from downloading malicious files #1189

Open tkol2022 opened 5 months ago

tkol2022 commented 5 months ago

💡 Summary

Currently ScubaGear (via the Defender baseline) only checks the Safe Attachments policy which prevents users from opening, moving, copying, or sharing files marked as malicious. It does not prevent users from downloading malicious files. The prevention of malicious file downloads is controlled by a separate configuration item from Safe Attachments and it can be checked via Get-SPOTenant which is part of the Sharepoint cmdlets. In the Teams baseline policy 7.2 we state "Users SHOULD be prevented from opening or downloading files detected as malware" so our current implementation is incomplete.

Screenshots and context

Here is our policy in Teams that mentions downloading files. image

Here is where the Teams policy points to Defender. image

Here is what the Defender baseline currently checks (this is an incomplete implementation of Teams policy 7.2 which also mentions downloading files) image image

Here is where Microsoft describes the check necessary to determine if the downloading of files is prevented or not. https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-configure#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files

Here is the cmdlet to detect if downloading of malicious files is turned off Get-SPOTenant | Format-List DisallowInfectedFileDownload More info on the setting https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide

Implementation notes

schrolla commented 5 months ago

I think this is related to (but not the same as) #161. At the very least any policy change to enable SafeAttachments more fully would like want to include both.