Microsoft 365 Exchange transport rule set up to automatically forward email

microsoft-365

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1114-email-collection

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a user adds or modifies an Exchange transport rule to automatically forward emails.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operations New-TransportRule or Set-TransportRule, where a value is set for @Parameters.BlindCopyTo or @Parameters.RedirectMessageTo. Attackers often create email forwarding rules to collect sensitive information and maintain persistence in the organization.

Triage and response

  1. Inspect the @Parameters.BlindCopyTo or @Parameters.RedirectMessageTo and determine if the rule is sending email to an external non-company owned domain. Additional investigation points include the following:
    • Identify the @AppId value, to determine if it’s unusual for the user.
    • Identify if there are suspicious keywords used like ‘payment’ and ‘invoice’.
  2. Determine if there is a legitimate use case for the mail forwarding rule by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the mail forwarding rule:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.