A catch-all email address receives mail sent to any address at your domain, even ones that do not actually exist, misspellings, old employee addresses, or spam bots guessing addresses, and auditing this setup closes both a spam and a security gap.
A catch-all left on by default silently accepts email for accounts that no longer exist, which is both a spam magnet and a real risk if an old address is later used to reset a password on some other service.
Your catch-all configuration is a deliberate choice, either disabled or actively monitored, not a forgotten default.
The Security Ring turns this into a real, permanent mission — mark it complete once you have genuinely done it.
Open this mission in H.I.V.E. →