πΌ Management Samenvatting
Outlook junk email bescherming moet op 'High' niveau worden ingesteld om agressief phishing emails, spam en malware-bevattende emails te filteren voordat gebruikers deze zien.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
3u (tech: 1u)
Van toepassing op:
β Outlook
β Microsoft 365 Apps
β Microsoft 365 Apps
JUNK EMAIL is PRIMAIRE PHISHING/MALWARE VECTOR: 94% van malware via email geleverd, Phishing emails leiden tot: Diefstal van inloggegevens (fake login pages), Ransomware deployment (malicious attachments), Business Email Compromise (BEC - CEO fraud). OUTLOOK CLIENT-SIDE FILTERING: Outlook heeft ingebouwde junk email filter (aanvulling op Exchange Online bescherming server-side). bescherming LEVELS: Low is Minimal filtering (veel junk komt door), High is Agressieve filtering (blokkeert meeste junk maar mogelijke false positives), Safe Lists alleen is ALLEEN email van approved senders (te restrictief). HIGH LEVEL aanbevolen: Balans tussen security (aggressive filtering) en usability (minimal false positives), Werkt SAMEN met Exchange Online bescherming (defense in depth), Client-side filter is laatste verdedigingslinie.
PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection:
Required Modules:
Connection:
RegistryRequired Modules:
Implementatie
Configureer Outlook junk email level via Registry: HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security\junkemailprotectionhigh is 1. DISA STIG O365-OU-000006: VERPLICHT voor government/defense. EFFECT: Aggressive spam/phishing filtering in Outlook client, Verdachte emails worden automatische naar Junk Email folder verplaatst, Users kunnen Safe Senders list beheren (voor false positives).
- Intune admin center β Apps β configuratiebeleidsregels
- Create: Microsoft 365 Apps
- Setting: Outlook Security β Junk email bescherming level
- Value: High (junkemailprotectionhigh is 1)
- Assign to: Alle users
- Download Office ADMX templates
- GPO: User Configuration β Administrative Templates β Microsoft Outlook 2016 β Security β Junk E-mail
- Policy: 'Junk E-mail bescherming level' is High
- Implementeer GPO
Vereisten
- Outlook (Microsoft 365 Apps versie 16.0+)
- Exchange Online met EOP (Exchange Online bescherming) voor server-side filtering
- User training: Controleer Junk Email folder regelmatig voor false positives
Implementatie
via Intune (AANBEVOLEN):
- Intune admin center β Apps β configuratiebeleidsregels
- Create: Microsoft 365 Apps
- Setting: Outlook Security β Junk email bescherming level
- Value: High (junkemailprotectionhigh is 1)
- Assign to: Alle users
Gebruik PowerShell-script junk-email-bescherming-high.ps1 (functie Invoke-Remediation) β Configureer junk email bescherming high via registry.
via Group Policy:
- Download Office ADMX templates
- GPO: User Configuration β Administrative Templates β Microsoft Outlook 2016 β Security β Junk E-mail
- Policy: 'Junk E-mail bescherming level' is High
- Implementeer GPO
monitoring
Gebruik PowerShell-script junk-email-protection-high.ps1 (functie Invoke-Monitoring) β Controleren.
monitor: Policy compliance, False positive rate (legitieme emails in Junk), Phishing/spam incidents (should decrease)
Compliance en Auditing
- DISA STIG O365-OU-000006 - MANDATORY voor government/defense
- CIS Microsoft 365 Benchmark
- BIO 12.02 - Bescherming tegen malware
- ISO 27001 A.8.7
Remediatie
Gebruik PowerShell-script junk-email-protection-high.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Office Security (L1) - Junk email bescherming high
- BIO: 12.02.01 - Bescherming tegen malware - Email filtering
- ISO 27001:2022: A.8.7 - bescherming against malware
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
# Control: O365-OU-000006 - junk email protection high
#Requires -Version 5.1
# DISA STIG Microsoft Office 365 ProPlus v3r3
param(
[string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security",
[switch]$Monitoring,
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
function Invoke-Monitoring {
Write-Host "Monitoring O365-OU-000006: junk email protection high" -ForegroundColor Green
try {
$valueName = "junkemailprotectionhigh"
$expectedValue = 1
if (-not (Test-Path $RegistryPath)) {
Write-Host "β Registry path does not exist: $RegistryPath" -ForegroundColor Red
return $false
}
$currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue
if ($currentValue -and $currentValue.$valueName -eq $expectedValue) {
Write-Host "β Control compliant: $valueName = $expectedValue" -ForegroundColor Green
return $true
}
else {
$actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" }
Write-Host "β Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red
return $false
}
}
catch {
Write-Host "β Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red
return $false
}
}
function Invoke-Remediation {
Write-Host "Remediating O365-OU-000006: junk email protection high" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would set registry value" -ForegroundColor Cyan
return $true
}
if (-not (Test-Path $RegistryPath)) {
New-Item -Path $RegistryPath -Force | Out-Null
Write-Host " Created registry path: $RegistryPath" -ForegroundColor Green
}
$valueName = "junkemailprotectionhigh"
$expectedValue = 1
Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force
Write-Host " Set $valueName to $expectedValue" -ForegroundColor Green
Start-Sleep -Seconds 1
return Invoke-Monitoring
}
catch {
Write-Host " Error during remediation: $_" -ForegroundColor Red
return $false
}
}
function Invoke-Revert {
Write-Host "Reverting O365-OU-000006: junk email protection high" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan
return $true
}
$valueName = "junkemailprotectionhigh"
if (Test-Path $RegistryPath) {
Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue
Write-Host " Removed registry value: $valueName" -ForegroundColor Green
}
return $true
}
catch {
Write-Host " Error during revert: $_" -ForegroundColor Red
return $false
}
}
# Main execution
try {
if ($Monitoring) {
$result = Invoke-Monitoring
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Remediation) {
$result = Invoke-Remediation
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Revert) {
$result = Invoke-Revert
exit $(if ($result) { 0 } else { 1 })
}
else {
Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow
}
}
catch {
Write-Host "Script execution error: $_" -ForegroundColor Red
exit 1
}
Risico zonder implementatie
Risico zonder implementatie
High: Hoog risico: Zonder aggressive junk filtering komen meer phishing/spam emails door, verhoogt kans op Diefstal van inloggegevens, malware infections, BEC attacks.
Management Samenvatting
Stel Outlook junk email bescherming in op 'High' niveau (junkemailprotectionhigh=1). Agressieve spam/phishing filtering. DISA STIG O365-OU-000006 vereist. Defense in depth met Exchange Online bescherming. Voldoet aan BIO 12.02, ISO 27001 A.8.7. Implementatie: 1-3 uur.
- Implementatietijd: 3 uur
- FTE required: 0.02 FTE