Microsoft 365 Exchange transport rule set up to automatically forward email
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a user adds or modifies an Exchange transport rule to automatically forward emails.
Strategy
Monitor Microsoft 365 Exchange audit logs to look for the operations New-TransportRule
or Set-TransportRule
, where a value is set for @Parameters.BlindCopyTo
or @Parameters.RedirectMessageTo
. Attackers often create email forwarding rules to collect sensitive information and maintain persistence in the organization.
Triage and response
- Inspect the
@Parameters.BlindCopyTo
or @Parameters.RedirectMessageTo
and determine if the rule is sending email to an external non-company owned domain. Additional investigation points include the following:- Identify the
@AppId
value, to determine if it’s unusual for the user. - Identify if there are suspicious keywords used like ‘payment’ and ‘invoice’.
- Determine if there is a legitimate use case for the mail forwarding rule by contacting the user
{{@usr.email}}
. - If
{{@usr.email}}
is not aware of the mail forwarding rule:- Investigate other activities performed by the user
{{@usr.email}}
using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.
Changelog
- 17 August 2023 - Updated query to replace attribute
@threat_intel.results.subcategory:tor
with @threat_intel.results.category:tor
.