Microsoft 365 Exchange transport rule set up to automatically forward email

Goal

Detect when a user adds or modifies an Exchange transport rule to automatically forward emails.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operations New-TransportRule or Set-TransportRule, where a value is set for @Parameters.BlindCopyTo or @Parameters.RedirectMessageTo. Attackers often create email forwarding rules to collect sensitive information and maintain persistence in the organization.

Triage and response

  1. Inspect the @Parameters.BlindCopyTo or @Parameters.RedirectMessageTo and determine if the rule is sending email to an external non-company owned domain. Additional investigation points include the following:
    • Identify the @AppId value, to determine if it’s unusual for the user.
    • Identify if there are suspicious keywords used like ‘payment’ and ‘invoice’.
  2. Determine if there is a legitimate use case for the mail forwarding rule by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the mail forwarding rule:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.