Are spam and phishing filters on (Microsoft 365 / Google Workspace built-in or a paid filter)?
Demonstrate that spam and phishing email filters are enabled, actively processing inbound mail, and configured with organization-approved threat detection policies on production email platforms.
Description
What this control does
This control verifies that enterprise email platforms (Microsoft 365 or Google Workspace) have spam and phishing filtering mechanisms actively enabled and properly configured. These filters use reputation databases, machine learning, and heuristic analysis to intercept malicious or unwanted email before it reaches end-user inboxes. The control covers both platform-native filtering capabilities (Exchange Online Protection, Gmail spam filtering) and third-party solutions (Proofpoint, Mimecast, Barracuda) that may augment or replace built-in defenses. Proper configuration and continuous operation of these filters is essential to reduce the attack surface presented by email, which remains the most common initial access vector for threat actors.
Control objective
What auditing this proves
Demonstrate that spam and phishing email filters are enabled, actively processing inbound mail, and configured with organization-approved threat detection policies on production email platforms.
Associated risks
Risks this control addresses
- Delivery of phishing emails to end users leading to credential harvesting or malware execution
- Business email compromise (BEC) attacks bypassing detection and resulting in fraudulent wire transfers or data disclosure
- Malware-laden attachments reaching user mailboxes and establishing footholds for ransomware or data exfiltration
- Spam overwhelming user inboxes and reducing productivity or masking legitimate communications
- Zero-day phishing campaigns exploiting delays in signature updates when third-party filters are misconfigured or inactive
- Users becoming desensitized to email threats due to high volume of malicious messages, increasing likelihood of successful social engineering
- Data leakage through spam replies or interaction with scam emails that exfiltrate internal information
Testing procedure
How an auditor verifies this control
- Identify the primary email platform in use (Microsoft 365, Google Workspace, or on-premises Exchange with cloud filtering) and document the filtering solution (native or third-party).
- For Microsoft 365: Access the Microsoft 365 Defender portal, navigate to Email & collaboration > Policies & rules > Threat policies, and review anti-spam and anti-phishing policy configurations.
- For Google Workspace: Access the Admin Console, navigate to Apps > Google Workspace > Gmail > Safety, and review spam, phishing, and malware settings for each organizational unit.
- For third-party solutions: Log into the filter management console (e.g., Proofpoint, Mimecast) and confirm the service is active, mail flow is routing through the filter, and policies are enabled.
- Review mail flow rules or connectors to verify that inbound email is routed through the filtering service before delivery to mailboxes and that bypass rules are limited to documented exceptions.
- Examine filter logs or quarantine reports from the past 30 days to confirm active detection and blocking of spam and phishing messages, noting message counts and threat categories.
- Test filter effectiveness by simulating a phishing attack using a controlled tool (e.g., security awareness platform test email) and verify that the filter quarantines or flags the message appropriately.
- Interview email administrators to confirm the frequency of policy reviews, update procedures for threat intelligence feeds, and escalation processes for false positives or filter failures.