L1 BIO U.12.2.1 ISO A.8.16 CIS 9.2

Outlook Automatisch Toevoegen Recipients Aan Safe Senders Uitschakelen

πŸ“… 2025-10-30
β€’
⏱️ 8 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Het uitschakelen van de automatische toevoeging van e-mail recipients aan de Safe Senders lijst voorkomt een kritieke phishing bypass techniek waarbij aanvallers hun e-mailadressen op de whitelist krijgen door simpelweg te antwoorden op gespoofte e-mails, wat een essentiΓ«le verdedigingslinie vormt tegen Business Email Compromise (BEC) en spear phishing attacks.

Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
High
Risk Score
7/10
Implementatie
8u (tech: 2u)
Van toepassing op:
βœ“ Microsoft Office 365 ProPlus
βœ“ Microsoft Outlook 2016
βœ“ Microsoft Outlook 2019
βœ“ Microsoft Outlook 2021
βœ“ Microsoft 365 Apps
βœ“ Outlook voor Windows

Outlook's Safe Senders lijst is een whitelist feature waarmee gebruikers kunnen aangeven welke afzenders altijd als vertrouwd moeten worden behandeld, waarbij spam filters worden omzeild. Het probleem ontstaat met de 'automatisch add people I email to de Safe Senders List' optie. Wanneer dit is ingeschakeld: **Automatische toevoeging bij reply**: Wanneer een gebruiker replyt op een e-mail, wordt het TO-adres automatisch toegevoegd aan Safe Senders. **Phishing bypass techniek**: Aanvallers exploiteren dit door gespoofte e-mails te sturen waarbij: Stap 1: Aanvaller stuurt phishing e-mail met gespoofd FROM-adres (bijv. CEO@legitiem-domein.com). Stap 2: Gebruiker replyt op de e-mail (zelfs om te zeggen 'dit lijkt verdacht'). Stap 3: Outlook voegt automatisch het (gespoofte) FROM-adres toe aan Safe Senders. Stap 4: Toekomstige phishing e-mails van dit gespoofte adres omzeilen alle spam/phishing filters. **Business Email Compromise (BEC) escalatie**: BEC aanvallers gebruiken deze techniek systematisch: Initial reconnaissance e-mail met lichte spoofing. Victim replyt met 'I don't understand this'. Attacker's adres whitelisted. Follow-up BEC attack met wire transfer request bypasses alle filters. **Domain reputation bypass**: Spam filters kunnen niet meer werken omdat gebruiker expliciet (onbedoeld) heeft aangegeven dat afzender vertrouwd is. **Social engineering amplification**: Elke reply, zelfs skeptical responses, versterkt de attacker's position. ReΓ«le gevallen waar dit is ge exploit: **CEO Fraud**: Gespoofd CEO e-mailadres wordt whitelisted na reply, follow-up wire transfer fraud succesvol. **Vendor Invoice Scams**: Gespoofd vendor e-mail, reply over invoice discrepancy, daarna fake invoice bypass filters. **credential Harvesting**: Initial phishing link, victim replyt 'what is this?', follow-up phishing heeft hoger success rate. Door automatische toevoeging uit te schakelen, dwingt deze control af dat Safe Senders lijst alleen handmatige wordt beheerd, wat eliminatie van deze kritieke phishing bypass techniek mogelijk maakt.

PowerShell Modules Vereist
Primary API: Registry / groep beleid
Connection: Lokale registry toegang of groep beleid Management
Required Modules: Windows PowerShell 5.1 of hoger

Implementatie

Deze beveiligingsmaatregel configureert de registry-instelling 'noaddrecipientssafesenders' op waarde 1 in het Outlook Security-pad. Dit schakelt de functie uit waarbij Outlook automatisch e-mailadressen toevoegt aan de Safe Senders lijst wanneer een gebruiker een e-mail verzendt of beantwoordt. De instelling wordt toegepast via het registry-pad HKCU:\Software\beleidsregels\Microsoft\Office\16.0\OUTLOOK\Security en is van toepassing op Office 2016 en nieuwer (inclusief Microsoft 365 Apps). Belangrijk: Deze setting voorkomt AUTOMATISCHE toevoeging, maar gebruikers kunnen nog steeds HANDMATIG adressen toevoegen aan Safe Senders (Right-click β†’ Junk β†’ Add sender to Safe Senders List). Dit balanceert security (geen accidental whitelisting) met usability (bewuste whitelist decisions blijven mogelijk).

Vereisten

Voor het implementeren van deze anti-phishing control zijn de volgende vereisten van toepassing:

  1. Microsoft Office 2016 of nieuwer (inclusief Microsoft 365 Apps for Enterprise)
  2. Administrator-rechten voor het wijzigen van registry-instellingen of groep beleid configuratie
  3. Windows PowerShell 5.1 of hoger voor geautomatiseerde implementatie
  4. Toegang tot het HKCU of HKLM registry hive
  5. Bij gebruik van groep beleid: toegang tot groep beleid Management Console (GPMC)
  6. E-mail security infrastructure: Defender for Office 365, Exchange Online bescherming, of derde partij e-mail security gateway
  7. User awareness training over phishing, spoofing, en safe email practices
  8. Helpdesk preparedness voor vragen over veranderd Safe Senders gedrag
  9. Communication plan naar users over wijziging in Safe Senders functionaliteit
  10. monitoring infrastructure voor phishing attempts en BEC attacks

**Complementary Security Controls (Aanbevolen):**

  1. Microsoft Defender for Office 365 met anti-phishing beleidsregels
  2. DMARC, SPF, en DKIM implementatie voor e-mail authenticatie
  3. Exchange Transport Rules voor external sender warnings
  4. Conditional Access beleidsregels voor risky sign-ins
  5. User en Entity Behavior Analytics (UEBA) voor anomaly detectie
  6. Multi-factor authentication (MFA) voor alle gebruikers
  7. Regular phishing simulations en awareness training

Implementatie

De implementatie van deze anti-phishing control is relatief eenvoudig maar vereist user communication:

**FASE 1: Baseline beoordeling**

  1. Assess current state: Query hoeveel users automatische Safe Senders addition hebben ingeschakeld
  2. Review phishing incident history: Correleer met Safe Senders bypass attempts
  3. Identify power users die mogelijk veel handmatige Safe Senders management doen
  4. Document current Safe Senders lists (optional baseline voor monitoring)
  5. Review e-mail security beleidsregels (Defender for Office 365, EOP settings)
  6. Assess phishing awareness level via surveys of historical training metrics

**FASE 2: User Communication en Training**

  1. **Communication (2 weken voor implementatie):**
  2. Explain wat Safe Senders lijst is en waarom automatische addition security risk vormt
  3. Provide real-world examples van phishing bypass via Safe Senders
  4. Inform users dat handmatige addition nog steeds mogelijk blijft
  5. Share instructies voor handmatige Safe Senders management (Right-click β†’ Junk β†’ Add to Safe Senders)
  6. Explain dat modern e-mail filters (Defender for Office 365) effectiever zijn dan handmatige whitelists
  7. **Training sessies:**
  8. Phishing awareness: hoe herken je gespoofte e-mails
  9. Spoofing techniques: display name spoofing, domain lookalikes, reply-to manipulation
  10. Safe email practices: verify unexpected requests via phone/second channel
  11. Wanneer to use Safe Senders (sparingly, alleen for confirmed legitimate senders met recurring false positives)

**FASE 3: Pilot Implementatie**

Gebruik PowerShell-script no-add-recipients-safe-senders.ps1 (functie Invoke-Remediation) – PowerShell script voor het uitschakelen van automatische Safe Senders addition. Ondersteunt monitoring, remediatie en revert-functies..

**Pilot Stappen:**

  1. Selecteer pilot groep: security-aware users (IT, security team, 10-20% van organisatie)
  2. Voer remediation script uit: .\no-add-recipients-safe-senders.ps1 -Remediation
  3. Test met -WhatIf eerst: .\no-add-recipients-safe-senders.ps1 -Remediation -WhatIf
  4. Herstart Outlook op pilot machines (of wait voor automatische registry refresh)
  5. **Test scenarios:**
  6. Reply op legitieme e-mail β†’ verify TO-adres NIET wordt toegevoegd aan Safe Senders
  7. handmatige toevoegen van Safe Sender β†’ verify dit NOG STEEDS werkt
  8. Reply op externe e-mail β†’ verify geen automatische whitelisting
  9. **Pilot monitoring (2 weken):**
  10. Collect feedback van pilot users over enige usability issues
  11. monitor helpdesk tickets voor Safe Senders-gerelateerde vragen
  12. Track phishing incidents (verwacht geen increase, mogelijk decrease)
  13. Verify dat handmatige Safe Senders addition workflow duidelijk is voor users

**FASE 4: Productie Rollout**

**via groep beleid (Aanbevolen voor on-premises/hybrid):**

  1. Open groep beleid Management Console (gpmc.msc)
  2. CreΓ«er GPO: 'Outlook - Anti-Phishing Safe Senders Control'
  3. Computer Configuration β†’ Preferences β†’ Windows Settings β†’ Registry
  4. New Registry Item: HKCU\Software\beleidsregels\Microsoft\Office\16.0\OUTLOOK\Security
  5. Value name: noaddrecipientssafesenders, Type: REG_DWORD, Value: 1
  6. Link GPO aan alle OUs met Outlook users
  7. Implementeer in één keer (low risk change, high security benefit)
  8. monitor met gpresult /h op steekproef machines
  9. Verify via GPMC reporting tools

**via Microsoft Intune (Cloud-beheerde devices):**

  1. Intune Admin Center β†’ Devices β†’ Configuration profiles
  2. Maak profile β†’ Windows 10 en later β†’ Settings catalog
  3. Add setting: Microsoft Outlook 2016 β†’ Security β†’ Prevent automatische addition to Safe Senders
  4. configureer: ingeschakeld (1)
  5. Assign aan: alle users of alle devices (depending op licensing model)
  6. Implementeer met standard rollout (geen staging needed voor deze low-risk change)
  7. monitor compliance via Intune dashboards
  8. Track deployment progress en verify 100% assignment

**FASE 5: Post-Implementation monitoring**

  1. monitor helpdesk tickets voor eerste 2 weken (verwacht minimal increase)
  2. Track phishing incident rate (baseline vs post-implementation)
  3. monitor Safe Senders list growth rate (should decrease dramatically)
  4. Review handmatige Safe Senders additions (are users adding legitimate senders?)
  5. Conduct follow-up phishing simulation (test if users nog steeds fall for spoofed replies)
  6. Quarterly review van phishing metrics en Safe Senders hygiene

monitoring en Controle

Continue monitoring van deze anti-phishing control is essentieel voor het meten van effectiveness:

Gebruik PowerShell-script no-add-recipients-safe-senders.ps1 (functie Invoke-Monitoring) – Het monitoring-script controleert of de registry-instelling correct is geconfigureerd en rapporteert de compliance-status..

**monitoring StrategieΓ«n:**

  1. **Registry compliance monitoring**: Dagelijkse scan van alle Outlook machines voor correcte registry configuratie (target: 100%)
  2. **Phishing Incident monitoring**: Track phishing success rate pre vs post implementation (expect significant decrease)
  3. **BEC Attack monitoring**: monitor Business Email Compromise attempts en success rate
  4. **Safe Senders List Audits**: Periodic export en analyse van Safe Senders lists (should show decreased growth rate)
  5. **User Behavior Analytics**: Identify users die excessive handmatige Safe Senders additions doen (possible security awareness gaps)
  6. **E-mail Security Metrics**: monitor Defender for Office 365 of EOP metrics voor phishing detections
  7. **Helpdesk Ticket Analysis**: Track tickets gerelateerd aan blocked emails en Safe Senders requests

**Key Performance Indicators (KPIs):**

  1. Registry compliance: 100% machines correct geconfigureerd
  2. Phishing incident reduction: Target >30% decrease in successful phishing (6 maanden post-implementation)
  3. BEC attack prevention: Target 100% prevention van Safe Senders bypass technique
  4. Safe Senders list growth: Target >80% decrease in automatische additions
  5. User satisfaction: >85% users accepteren change na training (quarterly survey)
  6. Helpdesk impact: <1% users met recurring Safe Senders issues
  7. False positive rate: No increase in legitimate e-mails in junk folder (compensated door modern filters)

**Alerting Configuratie:**

  1. CRITICAL: Registry non-compliance op >5% machines (possible GPO failure of attack)
  2. HIGH: Phishing incident spike >20% vs baseline (investigate if related to Safe Senders)
  3. MEDIUM: User met >50 handmatige Safe Senders additions in 1 maand (possible awareness gap of legitimate need)
  4. LOW: Helpdesk tickets >5 per week voor blocked emails (investigate false positives)
  5. Weekly phishing metrics report naar security team
  6. Monthly trend analysis naar management met ROI calculation

Remediatie en Troubleshooting

Bij detectie van problemen met Safe Senders control:

Gebruik PowerShell-script no-add-recipients-safe-senders.ps1 (functie Invoke-Remediation) – Het remediatie-script past automatisch de benodigde registry-instelling toe..

**Veelvoorkomende Problemen en Oplossingen:**

  1. **Probleem**: Users klagen dat vertrouwde senders in junk folder belanden. **Oplossing**: Train users over handmatige Safe Senders addition. Check modern e-mail filters (Defender for Office 365) voor false positives. Consider allow-listing op tenant level voor confirmed legitimate domains.
  2. **Probleem**: VIP executives willen automatische Safe Senders voor convenience. **Oplossing**: Explain security risk (executives zijn primaire BEC targets). Offer alternative: IT-beheerde Safe Senders list voor their confirmed regular contacts.
  3. **Probleem**: Users voegen ALLES handmatige toe aan Safe Senders (defeating purpose). **Oplossing**: aanvullend training over proper Safe Senders usage. monitor excessive additions. Consider technical control: limit Safe Senders list size.
  4. **Probleem**: Business partner e-mails consistent in junk. **Oplossing**: Investigate via Defender for Office 365 message trace. Work met business partner om hun e-mail authentication (SPF/DKIM/DMARC) te verbeteren. Temporary tenant-level allow list indien critical.
  5. **Probleem**: Registry waarde wordt reset naar 0. **Oplossing**: Check voor conflicterende GPOs met gpresult. Verify GPO precedence. Check voor local admin changes of malware.
  6. **Probleem**: Users vinden handmatige process te complex. **Oplossing**: Simplified documentation met screenshots. Quick reference card. Video tutorial. Helpdesk quick-assist.

**Safe Senders Hygiene Best practices:**

  1. Users should alleen add senders waar legitieme e-mails recurring in junk belanden
  2. NEVER add unknown senders, zelfs als e-mail legitimate lijkt (modern filters should handle)
  3. Review Safe Senders list quarterly en remove oude/unused entries
  4. For business-critical senders: werk met e-mail admin voor tenant-level allow list
  5. If in doubt: don't add to Safe Senders, rely op modern e-mail security filters
  6. Report persistent false positives aan IT voor investigation en structural fix

**geavanceerd Scenarios:**

  1. **VIP bescherming Program**: Maak separate GPO for C-level executives met extra strict controls + IT-beheerde Safe Senders lists
  2. **Bulk Safe Senders Management**: Use PowerShell scripts voor centralized Safe Senders list management voor specific user groeps
  3. **E-mail Authentication Enforcement**: Implement DMARC reject beleid voor owned domains om spoofing te elimineren
  4. **External Sender Warnings**: configureer Exchange transport rules om external sender warnings toe te voegen aan e-mail headers

Compliance en Auditing

Deze beveiligingsmaatregel ondersteunt compliance met meerdere security frameworks en regelgeving:

**DISA STIG Compliance:**

  1. Control ID: O365-OU-000006
  2. STIG versie: Microsoft Office 365 ProPlus v3r3
  3. Severity: Category II (Medium)
  4. Compliance vereiste: automatische addition van recipients aan Safe Senders moet zijn uitgeschakeld
  5. Rationale: Voorkomt phishing bypass technique via automatische whitelisting van gespoofte adressen

**Framework Mapping:**

  1. **BIO (Baseline Informatiebeveiliging Overheid)**: U.12.2.1 - Bescherming tegen malware. Phishing preventie is onderdeel van anti-malware strategie.
  2. **ISO 27001:2022**: A.8.16 - Management of technical vulnerabilities. automatische Safe Senders is een exploitable vulnerability.
  3. **NIS2 Richtlijn**: Artikel 21(2)(b) - Security awareness en training. Users moeten bewust zijn van phishing risks.
  4. **NIST Cybersecurity Framework**: PR.AT-1 - alle users are informed en trained. Anti-phishing awareness is kritiek.
  5. **CIS Controls**: Control 9.2 - Email en web browser protections. Safe Senders control is onderdeel van e-mail security hardening.
  6. **MITRE ATT&CK**: T1566 - Phishing (technique). Deze control mitigeert phishing delivery via Safe Senders bypass.

**Audit Evidence:**

  1. Registry export van noaddrecipientssafesenders waarde (HKCU:\Software\beleidsregels\Microsoft\Office\16.0\OUTLOOK\Security)
  2. groep beleid configuratie screenshots en GPO XML exports
  3. Intune beleid configuration exports en deployment compliance reports
  4. Test documentatie: reply op e-mail β†’ verify TO-adres NIET in Safe Senders verschijnt
  5. User communication materials: announcements, training sessies, awareness campaigns
  6. Phishing incident metrics: pre-implementation vs post-implementation comparative analysis
  7. BEC attack prevention: documented cases waar Safe Senders bypass werd voorkomen
  8. Safe Senders list audits: growth rate analysis (should show dramatic decrease)
  9. User awareness beoordeling results: quarterly phishing simulations en training completion rates
  10. Helpdesk ticket analysis: volume en trends voor Safe Senders-gerelateerde issues
  11. Change management documentation: business case, risk beoordeling, implementation plan
  12. Quarterly security review reports met control effectiveness metrics

**Return op Investment (ROI):**

  1. Average BEC attack cost: €150,000+ per successful attack (FBI IC3 data)
  2. Phishing remediation cost: €500-€5,000 per incident (depending op scope)
  3. Implementation cost: ~8 uur (€1,000-€2,000)
  4. Prevented attacks: If 1 BEC attack prevented per year β†’ ROI >7500%
  5. aanvullend Voordelen: Reduced helpdesk load, improved user awareness, beter e-mail hygiene

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
# Control: O365-OU-000006 - no add recipients safe senders #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000006: no add recipients safe senders" -ForegroundColor Green try { $valueName = "noaddrecipientssafesenders" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000006: no add recipients safe senders" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noaddrecipientssafesenders" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000006: no add recipients safe senders " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "noaddrecipientssafesenders" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000006 - no add recipients safe senders #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000006: no add recipients safe senders" -ForegroundColor Green try { $valueName = "noaddrecipientssafesenders" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000006: no add recipients safe senders" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noaddrecipientssafesenders" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000006 - no add recipients safe senders #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000006: no add recipients safe senders" -ForegroundColor Green try { $valueName = "noaddrecipientssafesenders" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000006: no add recipients safe senders" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noaddrecipientssafesenders" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000006: no add recipients safe senders " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "noaddrecipientssafesenders" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000006 - no add recipients safe senders #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000006: no add recipients safe senders" -ForegroundColor Green try { $valueName = "noaddrecipientssafesenders" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000006: no add recipients safe senders" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noaddrecipientssafesenders" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-add-recipients-safe-senders.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-add-recipients-safe-senders.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000006 - no add recipients safe senders #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000006: no add recipients safe senders" -ForegroundColor Green try { $valueName = "noaddrecipientssafesenders" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000006: no add recipients safe senders" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noaddrecipientssafesenders" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000006: no add recipients safe senders " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "noaddrecipientssafesenders" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000006 - no add recipients safe senders #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000006: no add recipients safe senders" -ForegroundColor Green try { $valueName = "noaddrecipientssafesenders" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000006: no add recipients safe senders" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noaddrecipientssafesenders" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-add-recipients-safe-senders.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-add-recipients-safe-senders.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Zonder deze control kunnen aanvallers hun phishing e-mails op gebruikers' whitelist krijgen door simpelweg te wachten op een reply. Dit is een bewezen exploit technique gebruikt in Business Email Compromise (BEC) attacks die organisaties gemiddeld €150,000+ per incident kosten. Het attack scenario: Aanvaller stuurt gespoofte e-mail (bijv. fake CEO), gebruiker replyt (zelfs skeptisch), gespoofd adres komt automatisch op Safe Senders whitelist, toekomstige phishing e-mails bypassen alle filters, BEC fraud succeeds met wire transfer. ReΓ«le cases: CEO fraud via Safe Senders bypass, vendor invoice scams na initial reply, credential harvesting met verhoogde success rate. Deze control is kritiek voor: Financial institutions (wire transfer fraud), C-level executives (BEC targets), enige organisatie met e-mail-based payments. Implementatie is relatief eenvoudig (8 uur) met minimale user impact (handmatige Safe Senders blijft werken). ROI is extreem hoog: voorkomen van 1 BEC attack per jaar levert >7500% return op implementation investment.

Management Samenvatting

Schakel automatische toevoeging van recipients aan Safe Senders lijst uit om kritieke phishing bypass technique te voorkomen. Aanvallers exploiteren dit voor BEC attacks door gebruikers te laten replyen op gespoofte e-mails. handmatige Safe Senders blijft werken voor legitieme use cases. Implementatie via groep beleid of Intune. Kritiek voor compliance met DISA STIG, BIO en ISO 27001. High ROI: voorkomen van 1 BEC attack (€150k+) rechtvaardigt implementatie (€2k). Implementatietijd: 8 uur inclusief training.