Add minor updates and clarify several polices in the EXO baseline document

[buidav]

💡 Summary

The are several comments in the comments matrix asking for minor updates or asking for clarifications on policies in the EXO baseline document. This issue is to bundle up these minor updates to the baseline document as they don't seem worthy of a separate issue to for investigation.

Motivation and context

This makes us go back and rewrite the original language of the EXO baselines for both clarification and updates to any implementation steps.

Implementation notes

• Comments Matrix number 64 (Separate spreadsheet)
  Commenter notes that PowerShell examples are being given for some but not all of the policies. They also note that it currently isn't clear why some policies provide implementation details through both the GUI and PowerShell while others only through the GUI.

• Comments Matrix number 134 (Comment from adhilto)
  EXO 2.1: Microsoft recommended we add the following as resources for 2.1:

  • All you need to know about automatic email forwarding in Exchange Online - Microsoft Tech Community
  • Detect and remediate the Outlook rules and custom forms injections attacks. -Office 365 | Microsoft Docs

• Comments Matrix number 64 (Separate Spreadsheet)
  EXO 2.2 The commenter notes that this baseline provides a PowerShell script to test the SPD configuration; however, we do not describe how to interpret the results of the script.

• Comments Matrix number 64 (Separate Spreadsheet)
  EXO 2.3 The commenter notes that the first section of the intro to this baseline true but could be misread that DKIM is providing authenticity for the sending user. They recommend making it clearer that DKIM authenticates both the sending mail server and the sending user.

• Comments Matrix number 64 (Separate Spreadsheet)
  EXO 2.3 The commenter notes that the first section of the intro to this baseline true but could be misread that DKIM is providing authenticity for the sending user. They recommend making it clearer that DKIM authenticates both the sending mail server and the sending user.

• Comments Matrix number 64 (Separate Spreadsheet)
  EXO 2.5 The commenter notes that SMTP AUTH cannot enforce MFA. They recommend we add additional guidance that should be provided that SMTP AUTH be used on a limited basis with scenarios provided where such authentication is appropriate and convey the caution that should be taken when enabling SMTP Auth.

• Comments Matrix number 64 (Separate Spreadsheet)
  EXO 2.9: Recommendation that we add *.iso to the list of click-to-run files that should be blocked.

Acceptance criteria

• Clarify why PowerShell implementation instructions are being given for certain baselines.
• Update EXO 2.1 with the additional resources.
• Update EXO 2.2 with instructions on how to interpret the result of PowerShell script
• Update EXO 2.3 to clarify DKIM authenticity
• Update EXO 2.5 to caution SMTP Auth
• Update EXO 2.9 Add *.iso to the list of blocked click-to-run files