Microsoft 365 Exchange transport rule set up to automatically forward email

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user adds or modifies an Exchange transport rule to automatically forward emails.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operations New-TransportRule or Set-TransportRule, where a value is set for @Parameters.BlindCopyTo or @Parameters.RedirectMessageTo. Attackers often create email forwarding rules to collect sensitive information and maintain persistence in the organization.

Triage and response

  1. Inspect the @Parameters.BlindCopyTo or @Parameters.RedirectMessageTo and determine if the rule is sending email to an external non-company owned domain. Additional investigation points include the following:
    • Identify the @AppId value, to determine if it’s unusual for the user.
    • Identify if there are suspicious keywords used like ‘payment’ and ‘invoice’.
  2. Determine if there is a legitimate use case for the mail forwarding rule by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the mail forwarding rule:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
PREVIEWING: brett0000FF/node-compatibility