Ensure the connection filter IP allow list is not used
Why This Matters
When the connection filter IP allow list is populated, messages from those IP addresses bypass spam filtering and sender authentication checks such as SPF, DKIM, and DMARC. This creates a significant security gap, as attackers can spoof allowed IPs to deliver malicious email directly to user inboxes. Without additional verification through mail flow rules, this practice violates the zero trust principle that all incoming messages should be scanned regardless of origin.
What Aether365 Checks
Aether365 verifies that the IP Allow List in the default connection filter policy for Exchange Online Protection is empty or undefined. This check appears in the Aether365 dashboard under the Microsoft 365 security checks section and identifies any IP addresses configured to bypass email filtering.