Security Suite Group 7#2240
Open
atuomit wants to merge 19 commits into
Open
Conversation
…b.com/cisagov/ScubaGear into 2108-implement-security-suite-group-7
…b.com/cisagov/ScubaGear into 2108-implement-security-suite-group-7
1 task
…or ScanUrls and DeliverMessageAfterScan to be enabled
Collaborator
|
@JosephRWalter I added you as a reviewer. Thank you |
RM-MITRE
reviewed
Jun 30, 2026
Collaborator
There was a problem hiding this comment.
Testing for SP7
GCC - PASSED
- When disabling both policies, we receive the expected warning for 7.1-7.3. With service principals, a strange warning was thrown, but functional outside of that (*).
- (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
- (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
- (Custom)
For the "Under Email" tests, the warning is received as expected. Although if "URL Scanning" is enabled under it with the other settings (just this setting group), it passes 7.2 prematurely. Unsure if this is intended (*).
For the "Under Teams" tests, the warning is received as expected.
For the "Under Office 365" tests, the warning is received as expected.
For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3.
For the "Track user clicks" tests, the 7.1-7.3 pass is received for all.
For the priority and user modification tests, all warnings received as expected.
GCCHIGH - PASSED
- When disabling both policies, we receive the expected warning for 7.1-7.3.
- (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
- (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
- (Custom)
For the "Under Email" tests, the warning is received as expected.
For the "Under Teams" tests, the warning is received as expected.
For the "Under Office 365" tests, the warning is received as expected.
For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3.
For the "Track user clicks" tests, the 7.1-7.3 pass is received for all.
For the priority and user modification tests, all warnings received as expected.
E5 - PASSED w/ Caveats
- When disabling both policies, we receive the expected warning for 7.1-7.3.
- (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
- (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
- (Custom)
For the "Under Email" tests, the warning is received as expected.
For the "Under Teams" tests, the warning is received as expected.
For the "Under Office 365" tests, the warning is received as expected.
For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
FAILED - For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected after the initial failings.
(*This test and the next two initially failed until I waited a bit. It returned all passes, even though clicks was disabled. Something funky was happening here behind the scenes tied to the "security" popup, where it also reenabled standard/strict. Noticed it triggering after "real time URL".)
- PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
FAILED - For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3 after the initial failings.
- PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
FAILED - For the "Track user clicks" tests, the 7.1-7.3 pass is received for all after the initial failings.
- PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
For the priority and user modification tests, all warnings received as expected.
G3 - PASSED w/ Caveats
- When disabling both policies, we receive the expected warning for 7.1-7.3.
- NOTABLE - (Standard) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
(*Turning on "all" for standard enables strict as well for some reason, randomly even, which when disabled causes it to sometimes fail. Same goes for when testing strict alone, it enables standard (although not as much).) - (Strict) When modifying Exchange Online Protection, we receive the expected warning for 7.1-7.3 for the none and specific recipients settings. We receive a pass on the "all" setting.
- (Custom)
For the "Under Email" tests, the warning is received as expected.
For the "Under Teams" tests, the warning is received as expected.
For the "Under Office 365" tests, the warning is received as expected.
For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
For the "Under Email" tests, the 7.1 pass is received as expected, warnings are received as expected.
(*The security popup led to testing issues again at this stage.)
FAILED - For the "Under Email" tests, the 7.1/2 pass is received as expected, warnings are received as expected for 7.3 after the initial failings.
- PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
FAILED - For the "Track user clicks" tests, the 7.1-7.3 pass is received for all after the initial failings.
- PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
FAILED - For the priority and user modification tests, all warnings received as expected after the initial failings.
(*This was absolutely not working at all on G3 at first. It kept resetting the presets.)
- PASSED when running another day after troubleshooting the GUI, so this is not a code issue.
RM-MITRE
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🗣 Description
Implemented Security Suite Group 7
💭 Motivation and context
Closes #2108
🧪 Testing
Test Preset Policies
Go to Microsoft Defender admin page
Under Email & Collaboration > Policies & Rules > Threat Policies > Safe Links
Ensure that all custom policies are disabled except for Built-in protection, which cannot be disabled)
Under Email & Collaboration > Policies & Rules > Threat Policies > Preset Security Policies
Turn both the standard and strict policies off - expect WARNING for 7.1 and PASS for 7.2 and 7.3
Enable the standard preset policy
Click "Manage protection settings" and modify the settings so that Exchange Online Protection is applied to "None" (Defender for Office 365 protection needs to be applied to all recipients or specific recipients, otherwise the policy will automatically turn off) - expect WARNING for 7.1 and PASS for 7.2 and 7.3
Click "Manage protection settings" and modify the settings so that Exchange Online Protection is applied to "Specific recipients" and specify a user, group or domain. - expect WARNING for 7.1 and PASS for 7.2 and 7.3
Click "Manage protection settings" and modify the settings so that Exchange Online Protection is applied to "All recipients" - expect PASS for 7.1, 7.2 and 7.3
Repeat steps for strict preset policy
Test Custom Policy
Ensure standard and strict preset policies are disabled the following testing.
Go to Microsoft Defender admin page
Under Email & Collaboration > Policies & Rules > Threat Policies > Safe Links
Either modify an existing custom policy or create a new one.
Ensure custom policy has a priority of 0 (or has the lowest priority out of all the policies that are enabled).
Click "Edit users and domains" and ensure that all fields are empty.
Modify the policy cumulatively:
Add another custom policy that is not compliant (all of the settings above is disabled) and modify it so that the second custom policy has a lower priority number than the first custom policy - expect WARNING for 7.1, 7.2 and 7.3
Switch the first custom policy priority back to 0, click "Edit users and domains" and specify a user, group or domain - expect WARNING for 7.1, 7.2 and 7.3
Repeat on all tenants in interactive and non-interactive modes.
✅ Pre-approval checklist
✅ Pre-merge checklist
PR passed smoke test check.
PR/feature branch passes functional tests for relevant products, if applicable.
Feature branch has been rebased against changes from parent branch, as needed.
Use
Update branchbutton below or use this reference to rebase from the command line.Resolved all merge conflicts on branch.
Squash all commits into one PR level commit using the
Squash and mergebutton.✅ Post-merge checklist