Microsoft 365 Exchange transport rule set up to automatically forward email
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a user adds or modifies an Exchange transport rule to automatically forward emails.
Strategy
Monitor Microsoft 365 Exchange audit logs to look for the operations New-TransportRule or Set-TransportRule, where a value is set for @Parameters.BlindCopyTo or @Parameters.RedirectMessageTo. Attackers often create email forwarding rules to collect sensitive information and maintain persistence in the organization.
Triage and response
- Inspect the
@Parameters.BlindCopyTo or @Parameters.RedirectMessageTo and determine if the rule is sending email to an external non-company owned domain. Additional investigation points include the following:- Identify the
@AppId value, to determine if it’s unusual for the user. - Identify if there are suspicious keywords used like ‘payment’ and ‘invoice’.
- Determine if there is a legitimate use case for the mail forwarding rule by contacting the user
{{@usr.email}}. - If
{{@usr.email}} is not aware of the mail forwarding rule:- Investigate other activities performed by the user
{{@usr.email}} using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.
Changelog
- 17 August 2023 - Updated query to replace attribute
@threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
