[New Check]: Mailbox primary SMTP address must use a verified custom domain (not .onmicrosoft.com) · prowler-cloud/prowler#11069

2026-05-06T14:28:23.000Z

### Existing check search - [x] I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist. ### Provider Microsoft 365 ### New provider name _No response_ ### Service or product area exchange ### Suggested check name `exchange_mailbox_primary_smtp_uses_custom_domain` ### Context and goal - **Security condition to validate:** Every user-facing Exchange Online mailbox in the tenant uses a primary SMTP address on a verified custom domain — never the default `*.onmicrosoft.com` routing domain. - **Why it matters:** The `*.onmicrosoft.com` domain is the routing domain Microsoft assigns to every tenant on creation; it is not intended for ongoing day-to-day mail. Mailboxes that still send and receive on this domain leak the internal tenant identifier in every From: header (helping attackers fingerprint the tenant for spear-phishing), bypass DMARC/DKIM hardening that customers deploy on their custom domains, and frequently get treated as low-trust by recipients' anti-phishing engines. Microsoft's own admin guidance recommends moving every mailbox onto a verified custom domain after onboarding and reserving the `.onmicrosoft.com` address as a fallback. - **Resource involved:** Exchange Online mailboxes (`Get-Mailbox`) and their `PrimarySmtpAddress`. ### Expected behavior - **Resource or scope to evaluate:** All recipient-facing mailboxes returned by `Get-Mailbox -ResultSize Unlimited` of types `UserMailbox`, `SharedMailbox`, `RoomMailbox`, and `EquipmentMailbox`. For each, inspect `PrimarySmtpAddress`. - **PASS when:** every evaluated mailbox's `PrimarySmtpAddress` resolves to a domain that is **not** under `*.onmicrosoft.com`. Empty tenants (no mailboxes) also PASS. - **FAIL when:** at least one evaluated mailbox has `PrimarySmtpAddress` under `*.onmicrosoft.com`. The finding should report the mailbox `Identity`, `RecipientTypeDetails`, and the offending `PrimarySmtpAddress`. - **MANUAL when:** Exchange Online PowerShell is unavailable for the run — the check cannot complete and should report MANUAL with a status message asking the operator to enable EXO PowerShell. - **Exclusions / edge cases:** - **Skip system-generated mailboxes** by recipient type: `DiscoveryMailbox`, `ArbitrationMailbox`, `AuditLogMailbox`, `MonitoringMailbox`, `AuxAuditLogMailbox`, and any mailbox tagged `SystemMailbox`. Those are managed by Microsoft and routinely keep the `.onmicrosoft.com` primary address by design. - The check intentionally does **not** verify that secondary `EmailAddresses` are also off `.onmicrosoft.com`. The policy concern is the *primary* (the address used for outbound mail and From: header). Audit of secondary addresses can be a follow-up. ### References - Microsoft 365 admin — Add a custom domain to Microsoft 365: https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain - Microsoft 365 admin — Domains FAQ (`onmicrosoft.com` primary domain guidance): https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq - Exchange Online PowerShell — `Get-Mailbox`: https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailbox - Exchange Online — Manage user mailboxes (recipient management overview): https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-user-mailboxes/manage-user-mailboxes ### Suggested severity Low ### Additional implementation notes - **Existing patterns to follow:** Sibling checks `exchange_user_mailbox_auditing_enabled` and `exchange_shared_mailbox_sign_in_disabled` already enumerate mailboxes via the existing Exchange Online PowerShell wiring in `prowler/providers/m365/services/exchange/exchange_service.py`. Reuse that same enumeration; expose `RecipientTypeDetails` and `PrimarySmtpAddress` on the loaded mailbox model if not already present. - **Permissions / scopes:** No additional permissions beyond what the `exchange` service already requires (Exchange Online PowerShell access). No Microsoft Graph permissions are needed for this check. - **PowerShell IS required**; mailbox listings are not exposed via Microsoft Graph in a way that gives `PrimarySmtpAddress` reliably across all recipient types. - **Exclusion list constant:** Define the system-mailbox `RecipientTypeDetails` exclusion list as a module-level constant so it is easy to extend if Microsoft introduces new recipient subtypes. - **Metadata:** follow the Exchange metadata schema used by sibling checks under `exchange/`. Set `ResourceType` to `microsoft.exchange/mailboxes`.

(3 comments) (0 reactions) (1 assignee)Python (8,957 stars) (1,322 forks)batch import

feature-requestgood first issuenew-checkprovider/m365

Description

Existing check search

I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.

Provider

Microsoft 365

New provider name

No response

Service or product area

exchange

Suggested check name

exchange_mailbox_primary_smtp_uses_custom_domain

Context and goal

Security condition to validate: Every user-facing Exchange Online mailbox in the tenant uses a primary SMTP address on a verified custom domain — never the default *.onmicrosoft.com routing domain.
Why it matters: The *.onmicrosoft.com domain is the routing domain Microsoft assigns to every tenant on creation; it is not intended for ongoing day-to-day mail. Mailboxes that still send and receive on this domain leak the internal tenant identifier in every From: header (helping attackers fingerprint the tenant for spear-phishing), bypass DMARC/DKIM hardening that customers deploy on their custom domains, and frequently get treated as low-trust by recipients' anti-phishing engines. Microsoft's own admin guidance recommends moving every mailbox onto a verified custom domain after onboarding and reserving the .onmicrosoft.com address as a fallback.
Resource involved: Exchange Online mailboxes (Get-Mailbox) and their PrimarySmtpAddress.

Expected behavior

Resource or scope to evaluate: All recipient-facing mailboxes returned by Get-Mailbox -ResultSize Unlimited of types UserMailbox, SharedMailbox, RoomMailbox, and EquipmentMailbox. For each, inspect PrimarySmtpAddress.
PASS when: every evaluated mailbox's PrimarySmtpAddress resolves to a domain that is not under *.onmicrosoft.com. Empty tenants (no mailboxes) also PASS.
FAIL when: at least one evaluated mailbox has PrimarySmtpAddress under *.onmicrosoft.com. The finding should report the mailbox Identity, RecipientTypeDetails, and the offending PrimarySmtpAddress.
MANUAL when: Exchange Online PowerShell is unavailable for the run — the check cannot complete and should report MANUAL with a status message asking the operator to enable EXO PowerShell.
Exclusions / edge cases:
- Skip system-generated mailboxes by recipient type: DiscoveryMailbox, ArbitrationMailbox, AuditLogMailbox, MonitoringMailbox, AuxAuditLogMailbox, and any mailbox tagged SystemMailbox. Those are managed by Microsoft and routinely keep the .onmicrosoft.com primary address by design.
- The check intentionally does not verify that secondary EmailAddresses are also off .onmicrosoft.com. The policy concern is the primary (the address used for outbound mail and From: header). Audit of secondary addresses can be a follow-up.

References

Microsoft 365 admin — Add a custom domain to Microsoft 365: https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain
Microsoft 365 admin — Domains FAQ (onmicrosoft.com primary domain guidance): https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq
Exchange Online PowerShell — Get-Mailbox: https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailbox
Exchange Online — Manage user mailboxes (recipient management overview): https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-user-mailboxes/manage-user-mailboxes

Suggested severity

Low

Additional implementation notes

Existing patterns to follow: Sibling checks exchange_user_mailbox_auditing_enabled and exchange_shared_mailbox_sign_in_disabled already enumerate mailboxes via the existing Exchange Online PowerShell wiring in prowler/providers/m365/services/exchange/exchange_service.py. Reuse that same enumeration; expose RecipientTypeDetails and PrimarySmtpAddress on the loaded mailbox model if not already present.
Permissions / scopes: No additional permissions beyond what the exchange service already requires (Exchange Online PowerShell access). No Microsoft Graph permissions are needed for this check.
PowerShell IS required; mailbox listings are not exposed via Microsoft Graph in a way that gives PrimarySmtpAddress reliably across all recipient types.
Exclusion list constant: Define the system-mailbox RecipientTypeDetails exclusion list as a module-level constant so it is easy to extend if Microsoft introduces new recipient subtypes.
Metadata: follow the Exchange metadata schema used by sibling checks under exchange/. Set ResourceType to microsoft.exchange/mailboxes.

Contributor guide

Tech stack: pythonshell
Domain: securitycloud
Issue type: feature
Difficulty: 3
Estimated time: 1-2 days
Activity status: blocked
Clarity: clear
Prerequisites: Python programmingPowerShell scriptingExchange Online basics
Newbie friendliness: 65
Research direction: Examine the existing exchange service in prowler/providers/m365/services/exchange/exchange service.py and sibling checks like exchange user mailbox auditing enabled to understand the pattern. Add the new check following the same structure, implementing the mailbox enumeration and domain validation. Ensure proper handling of system mailboxes exclusion.