Exchange transport forwarding rule configured

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.

Attacker's Goals

Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.

Investigative actions

  • Check what mailboxes are affected by the transport rule.
  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the forwarding domain is an unknown external domain and look up its reputation.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for emails sent to this recipient by other users.

Variations

Exchange transport forwarding rule configured by a delegate user

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user.

Attacker's Goals

Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.

Investigative actions

  • Check what mailboxes are affected by the transport rule.
  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the forwarding domain is an unknown external domain and look up its reputation.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for emails sent to this recipient by other users.


Suspicious Exchange transport forwarding rule configured

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.

Attacker's Goals

Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.

Investigative actions

  • Check what mailboxes are affected by the transport rule.
  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the forwarding domain is an unknown external domain and look up its reputation.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for emails sent to this recipient by other users.