Skip to content

[pull] dev from KelvinTegelaar:dev#867

Merged
pull[bot] merged 2 commits into
bmsimp:devfrom
KelvinTegelaar:dev
Mar 26, 2026
Merged

[pull] dev from KelvinTegelaar:dev#867
pull[bot] merged 2 commits into
bmsimp:devfrom
KelvinTegelaar:dev

Conversation

@pull

@pull pull Bot commented Mar 26, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

chris-dewey-1991 and others added 2 commits March 25, 2026 20:18
This script creates and manages Exchange Online transport rules for colleague impersonation alerts, handling sender display names and exemptions.

Signed-off-by: Chris Dewey <142454021+chris-dewey-1991@users.noreply.github.com>
This script creates and manages Exchange Online transport rules for
colleague impersonation alerts, handling sender display names and
exemptions.

Relates to the following
KelvinTegelaar/CIPP#5138
KelvinTegelaar/CIPP#5725

**Details of Standards**

**Rule Structure**
This standard creates five rules, split alphabetically by the first
letter of the user’s display name:
•	(A–E) Colleague Impersonation Alert 
•	(F–J) Colleague Impersonation Alert 
•	(K–O) Colleague Impersonation Alert 
•	(P–T) Colleague Impersonation Alert 
•	(U–Z) Colleague Impersonation Alert 
Example:
A user named Lexi Jones would be included in the (K–O) rule.


**User Management**
•	Only active User Mailboxes and Shared Mailboxes are included 
• Disabled accounts are automatically removed during the next
remediation run
•	New users are added automatically 


**Domain Exemptions**
The standard automatically detects the tenant’s accepted domains and
adds them as exemptions. This ensures internal emails never trigger the
warning banner.


**Keyword Exclusions**
Mailboxes can be excluded using keyword matching against the display
name.
Example:
Adding the keyword “Leaver” will exclude any mailbox containing that
word. This is useful for organisations that rename or archive accounts
(e.g. using a prefix like “Leaver:” instead of deleting them).


**Exempt Senders**
Specific external sender addresses can be whitelisted to prevent the
banner from being applied.
Example:
no-reply@teams.mail.microsoft can be added if Microsoft service
notifications are incorrectly flagged.
•	These exemptions are global, not per client 
• Manually added exempt senders are preserved and not overwritten by the
standard


**Drift Detection**
The standard validates that:
•	All five rules exist 
•	Each rule’s user list matches the current set of active mailboxes 
If discrepancies are found (e.g. users added or removed), the standard
is marked as non-compliant and will re-sync during remediation.


**Example of Alert Banner (HTML) to use**
Simple copy and paste into the Alert Banner section and tweak to your
liking.
<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%">
<tr><td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td><td
width="100%" cellpadding="7px 6px 7px 15px"
style="background:#fff8e5;padding:5pt 4pt 5pt
12pt;word-wrap:break-word"><div style="color:#222222;"><span
style="color:#222; font-weight:bold;">Warning:</span>This email was sent
from outside the company, and it has the same display name as someone
inside our organization. This is probably a phishing mail. Do not click
on links or open attachments unless you are certain that this email is
safe. </div></td></tr> </table> <br/>

**Recommendation**
It is recommended to enable auto-remediation, as frequent user changes
will otherwise cause ongoing drift and require manual intervention.

<img width="652" height="626" alt="image"
src="https://github.com/user-attachments/assets/c94de3f8-1d6b-4646-aa4e-5fa0ddd4baaf"
/>

<img width="1340" height="854" alt="image"
src="https://github.com/user-attachments/assets/f789e136-5084-400d-a981-d10e403bac54"
/>

PS I wont lie :) I had help with AI to validate my code and help me out
in certain areas. Testing was on my own tenant using Classic Standards,
Drifts Standards. Auto Remedation and Manual Remedation. Confirmed logs
showing in each stage.
@pull pull Bot locked and limited conversation to collaborators Mar 26, 2026
@pull pull Bot added the ⤵️ pull label Mar 26, 2026
@pull pull Bot merged commit 7c91ae8 into bmsimp:dev Mar 26, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants