Associated with

Inboxes

Underlying signals

ESEC Unprotected Inbox (RS41)

Reasonings

• Enabled inbox, and

  • Any inbox that is enabled regardless if it’s regular, shared, or a distribution group. Any inbox that can receive email.

• Inbox is not present in connected email security integration, or

• Domain is not present in connected email security integration

  • Some integrations do not provide the list of users protected by the tool, so Cork may infer that all inboxes of a domain are covered if that domain is present in the integration

Resolutions

• Add the inbox to your email security tool, or

• If user is being offboarded, disable the inbox

Additional Considerations

• Shared Inboxes are not monitored for compliance events directly. Protection for these is inferred based on the license status of the users who have permission to view that shared inbox.

• Microsoft recommends purchasing an individual Defender for Office 365 license for shared inboxes

  • https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms

• The following integrations are inferred as cover-alls:

  • TitanHQ SpamTitan

  • Avanan

  • Barracuda Email Gateway Defense

  • INKY

  • Perception Point