Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.
Attacker's Goals
Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.
Investigative actions
- Check what mailboxes are affected by the transport rule.
- Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
- Check if the forwarding domain is an unknown external domain and look up its reputation.
- Investigate the IP address associated with the rule.
- Follow further actions done by the account.
- Check for a possible phishing campaign on the organization.
- Look for emails sent to this recipient by other users.
Variations
Exchange transport forwarding rule configured by a delegate userSuspicious Exchange transport forwarding rule configured