feat(m365): add defender_atp_safe_attachments_policy_enabled security check

Add new security check defender_atp_safe_attachments_policy_enabled for m365 provider.
Includes check implementation, metadata, and unit tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: andoniaf

prowler/CHANGELOG.md

@@ -24,6 +24,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - CIS 6.0 for M365 provider [(#9779)](https://github.com/prowler-cloud/prowler/pull/9779)
 - CIS 5.0 compliance framework for the Azure provider [(#9777)](https://github.com/prowler-cloud/prowler/pull/9777)
 - `Cloudflare` Bot protection, WAF, Privacy, Anti-Scraping and Zone configuration checks [(#9425)](https://github.com/prowler-cloud/prowler/pull/9425)
+- `defender_atp_safe_attachments_policy_enabled` check for m365 provider [(#9837)](https://github.com/prowler-cloud/prowler/pull/9837)
 
 ### Changed
 - Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432)

prowler/providers/m365/lib/powershell/m365_powershell.py

@@ -823,6 +823,29 @@ def get_sharing_policy(self) -> dict:
             "Get-SharingPolicy | ConvertTo-Json -Depth 10", json_parse=True
         )
 
+    def get_atp_policy_for_o365(self) -> dict:
+        """
+        Get ATP Policy for Office 365.
+
+        Retrieves the current ATP (Advanced Threat Protection) policy settings for Office 365,
+        including Safe Attachments for SharePoint, OneDrive, and Teams, and Safe Documents settings.
+
+        Returns:
+            dict: ATP policy settings in JSON format.
+
+        Example:
+            >>> get_atp_policy_for_o365()
+            {
+                "Identity": "Default",
+                "EnableATPForSPOTeamsODB": true,
+                "EnableSafeDocs": true,
+                "AllowSafeDocsOpen": false
+            }
+        """
+        return self.execute(
+            "Get-AtpPolicyForO365 | ConvertTo-Json -Depth 10", json_parse=True
+        )
+
     def get_user_account_status(self) -> dict:
         """
         Get User Account Status.

prowler/providers/m365/services/defender/defender_atp_safe_attachments_policy_enabled/__init__.py

@@ -0,0 +1,37 @@
+{
+  "Provider": "m365",
+  "CheckID": "defender_atp_safe_attachments_policy_enabled",
+  "CheckTitle": "ATP Safe Attachments policy has Safe Documents enabled and click-through blocked for SharePoint, OneDrive, and Microsoft Teams",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "Defender ATP Policy",
+  "ResourceGroup": "security",
+  "Description": "Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protects organizations from inadvertently sharing malicious files. When enabled, files identified as malicious are blocked and cannot be opened, copied, moved, or shared until further actions are taken by the organization's security team.",
+  "Risk": "Without Safe Attachments enabled, users may download, sync, or access malicious files from SharePoint, OneDrive, or Teams, potentially leading to malware infections across the organization. If Safe Documents is disabled or users can bypass Protected View, malicious content in Office documents may execute and compromise endpoints.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about",
+    "https://learn.microsoft.com/en-us/defender-office-365/safe-documents-in-e5-plus-security-about"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true -EnableSafeDocs $true -AllowSafeDocsOpen $false",
+      "NativeIaC": "",
+      "Other": "1. Navigate to Microsoft 365 Defender portal at https://security.microsoft.com.\n2. Go to Email & Collaboration > Policies & Rules > Threat policies.\n3. Under Policies, select Safe Attachments.\n4. Click on Global settings.\n5. Enable Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams.\n6. Enable Turn on Safe Documents for Office clients.\n7. Disable Allow people to click through Protected View even if Safe Documents identified the file as malicious.\n8. Click Save.",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams along with Safe Documents to protect users from malicious files. Block users from bypassing Protected View warnings for files identified as malicious to maintain defense-in-depth.",
+      "Url": "https://hub.prowler.com/check/defender_atp_safe_attachments_policy_enabled"
+    }
+  },
+  "Categories": [
+    "e5"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check requires Microsoft Defender for Office 365 Plan 1 or Plan 2 (included in E5 license). Safe Documents specifically requires Microsoft 365 E5 or Microsoft 365 E5 Security."
+}

prowler/providers/m365/services/defender/defender_atp_safe_attachments_policy_enabled/defender_atp_safe_attachments_policy_enabled.metadata.json

@@ -0,0 +1,60 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportM365
+from prowler.providers.m365.services.defender.defender_client import defender_client
+
+
+class defender_atp_safe_attachments_policy_enabled(Check):
+    """
+    Check if Safe Attachments for SharePoint, OneDrive, and Teams is properly configured.
+
+    This check verifies that the ATP (Advanced Threat Protection) policy for Office 365 has:
+    - EnableATPForSPOTeamsODB = True (Safe Attachments enabled for SPO/OneDrive/Teams)
+    - EnableSafeDocs = True (Safe Documents enabled)
+    - AllowSafeDocsOpen = False (Users cannot bypass Protected View for malicious files)
+
+    - PASS: All three settings are properly configured.
+    - FAIL: One or more settings are not properly configured.
+    """
+
+    def execute(self) -> List[CheckReportM365]:
+        """
+        Execute the check to verify Safe Attachments ATP policy configuration.
+
+        Returns:
+            List[CheckReportM365]: A list of reports containing the result of the check.
+        """
+        findings = []
+
+        if defender_client.atp_policy_for_o365:
+            policy = defender_client.atp_policy_for_o365
+
+            report = CheckReportM365(
+                metadata=self.metadata(),
+                resource=policy,
+                resource_name=policy.identity,
+                resource_id=policy.identity,
+            )
+
+            # Check all three required settings
+            is_atp_enabled = policy.enable_atp_for_spo_teams_odb
+            is_safe_docs_enabled = policy.enable_safe_docs
+            is_safe_docs_open_blocked = not policy.allow_safe_docs_open
+
+            if is_atp_enabled and is_safe_docs_enabled and is_safe_docs_open_blocked:
+                report.status = "PASS"
+                report.status_extended = f"ATP policy {policy.identity} has Safe Attachments for SharePoint, OneDrive, and Teams properly configured with Safe Documents enabled and click-through blocked."
+            else:
+                report.status = "FAIL"
+                issues = []
+                if not is_atp_enabled:
+                    issues.append("Safe Attachments for SPO/OneDrive/Teams is disabled")
+                if not is_safe_docs_enabled:
+                    issues.append("Safe Documents is disabled")
+                if not is_safe_docs_open_blocked:
+                    issues.append("users can bypass Protected View for malicious files")
+                report.status_extended = f"ATP policy {policy.identity} is not properly configured: {'; '.join(issues)}."
+
+            findings.append(report)
+
+        return findings

prowler/providers/m365/services/defender/defender_atp_safe_attachments_policy_enabled/defender_atp_safe_attachments_policy_enabled.py

@@ -8,7 +8,34 @@
 
 
 class Defender(M365Service):
+    """
+    Microsoft 365 Defender service class.
+
+    This class provides methods to retrieve and manage Microsoft Defender for Office 365
+    security policies and configurations, including malware filters, spam policies,
+    anti-phishing settings, and ATP (Advanced Threat Protection) policies.
+
+    Attributes:
+        malware_policies (list): List of malware filter policies.
+        outbound_spam_policies (dict): Dictionary of outbound spam filter policies.
+        outbound_spam_rules (dict): Dictionary of outbound spam filter rules.
+        antiphishing_policies (dict): Dictionary of anti-phishing policies.
+        antiphishing_rules (dict): Dictionary of anti-phishing rules.
+        connection_filter_policy: Connection filter policy configuration.
+        dkim_configurations (list): List of DKIM signing configurations.
+        inbound_spam_policies (list): List of inbound spam filter policies.
+        inbound_spam_rules (dict): Dictionary of inbound spam filter rules.
+        report_submission_policy: Report submission policy configuration.
+        atp_policy_for_o365: ATP policy for Office 365 configuration.
+    """
+
     def __init__(self, provider: M365Provider):
+        """
+        Initialize the Defender service.
+
+        Args:
+            provider (M365Provider): The Microsoft 365 provider instance.
+        """
         super().__init__(provider)
         self.malware_policies = []
         self.outbound_spam_policies = {}
@@ -20,6 +47,7 @@ def __init__(self, provider: M365Provider):
         self.inbound_spam_policies = []
         self.inbound_spam_rules = {}
         self.report_submission_policy = None
+        self.atp_policy_for_o365 = None
         if self.powershell:
             if self.powershell.connect_exchange_online():
                 self.malware_policies = self._get_malware_filter_policy()
@@ -33,6 +61,7 @@ def __init__(self, provider: M365Provider):
                 self.inbound_spam_policies = self._get_inbound_spam_filter_policy()
                 self.inbound_spam_rules = self._get_inbound_spam_filter_rule()
                 self.report_submission_policy = self._get_report_submission_policy()
+                self.atp_policy_for_o365 = self._get_atp_policy_for_o365()
             self.powershell.close()
 
     def _get_malware_filter_policy(self):
@@ -350,6 +379,12 @@ def _get_inbound_spam_filter_rule(self):
         return inbound_spam_rules
 
     def _get_report_submission_policy(self):
+        """
+        Get the Defender report submission policy.
+
+        Returns:
+            ReportSubmissionPolicy: The report submission policy configuration.
+        """
         logger.info("Microsoft365 - Getting Defender report submission policy...")
         report_submission_policy = None
         try:
@@ -387,6 +422,35 @@ def _get_report_submission_policy(self):
             )
         return report_submission_policy
 
+    def _get_atp_policy_for_o365(self):
+        """
+        Get the ATP (Advanced Threat Protection) policy for Office 365.
+
+        Retrieves the ATP policy settings including Safe Attachments for SharePoint,
+        OneDrive, and Teams, as well as Safe Documents configuration.
+
+        Returns:
+            AtpPolicyForO365: The ATP policy configuration for Office 365.
+        """
+        logger.info("Microsoft365 - Getting ATP policy for Office 365...")
+        atp_policy = None
+        try:
+            policy = self.powershell.get_atp_policy_for_o365()
+            if policy:
+                atp_policy = AtpPolicyForO365(
+                    identity=policy.get("Identity", "Default"),
+                    enable_atp_for_spo_teams_odb=policy.get(
+                        "EnableATPForSPOTeamsODB", False
+                    ),
+                    enable_safe_docs=policy.get("EnableSafeDocs", False),
+                    allow_safe_docs_open=policy.get("AllowSafeDocsOpen", True),
+                )
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+        return atp_policy
+
 
 class MalwarePolicy(BaseModel):
     enable_file_filter: bool
@@ -470,6 +534,8 @@ class InboundSpamRule(BaseModel):
 
 
 class ReportSubmissionPolicy(BaseModel):
+    """Model for Defender report submission policy configuration."""
+
     report_junk_to_customized_address: bool
     report_not_junk_to_customized_address: bool
     report_phish_to_customized_address: bool
@@ -478,3 +544,22 @@ class ReportSubmissionPolicy(BaseModel):
     report_phish_addresses: list[str]
     report_chat_message_enabled: bool
     report_chat_message_to_customized_address_enabled: bool
+
+
+class AtpPolicyForO365(BaseModel):
+    """
+    Model for ATP (Advanced Threat Protection) policy for Office 365.
+
+    Attributes:
+        identity: The identity of the ATP policy.
+        enable_atp_for_spo_teams_odb: Whether Safe Attachments is enabled for
+            SharePoint, OneDrive, and Microsoft Teams.
+        enable_safe_docs: Whether Safe Documents is enabled for clients in Protected View.
+        allow_safe_docs_open: Whether users can click through Protected View
+            even if Safe Documents identifies the file as malicious.
+    """
+
+    identity: str
+    enable_atp_for_spo_teams_odb: bool
+    enable_safe_docs: bool
+    allow_safe_docs_open: bool