Microsoft 365 Inbox Forwarding Rule Created

  1[metadata]
  2creation_date = "2021/03/29"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic", "Gary Blackwell", "Austin Songer"]
  9description = """
 10Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
 11on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
 12abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or
 13having the corresponding privileges.
 14"""
 15false_positives = [
 16    """
 17    Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company
 18    policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior.
 19    """,
 20]
 21from = "now-30m"
 22index = ["filebeat-*", "logs-o365*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "Microsoft 365 Inbox Forwarding Rule Created"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Microsoft 365 Inbox Forwarding Rule Created
 32
 33Microsoft 365 allows users to create inbox rules to automate email management, such as forwarding messages to another address. While useful, attackers can exploit these rules to secretly redirect emails, facilitating data exfiltration. The detection rule monitors for the creation of such forwarding rules, focusing on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities.
 34
 35### Possible investigation steps
 36
 37- Review the event details to identify the user account associated with the creation of the forwarding rule by examining the o365.audit.Parameters.
 38- Check the destination email address specified in the forwarding rule (ForwardTo, ForwardAsAttachmentTo, or RedirectTo) to determine if it is an external or suspicious address.
 39- Investigate the user's recent activity logs in Microsoft 365 to identify any unusual or unauthorized actions, focusing on event.dataset:o365.audit and event.provider:Exchange.
 40- Verify if the user has a legitimate reason to create such a forwarding rule by consulting with their manager or reviewing their role and responsibilities.
 41- Assess if there have been any recent security incidents or alerts related to the user or the destination email address to identify potential compromise.
 42- Consider disabling the forwarding rule temporarily and notifying the user and IT security team if the rule appears suspicious or unauthorized.
 43
 44### False positive analysis
 45
 46- Legitimate forwarding rules set by users for convenience or workflow purposes may trigger alerts. Review the context of the rule creation, such as the user and the destination address, to determine if it aligns with normal business operations.
 47- Automated systems or third-party applications that integrate with Microsoft 365 might create forwarding rules as part of their functionality. Identify these systems and consider excluding their associated accounts from the rule.
 48- Temporary forwarding rules set during user absence, such as vacations or leaves, can be mistaken for malicious activity. Implement a process to document and approve such rules, allowing for their exclusion from monitoring during the specified period.
 49- Internal forwarding to trusted domains or addresses within the organization might not pose a security risk. Establish a list of trusted internal addresses and configure exceptions for these in the detection rule.
 50- Frequent rule changes by specific users, such as IT administrators or support staff, may be part of their job responsibilities. Monitor these accounts separately and adjust the rule to reduce noise from expected behavior.
 51
 52### Response and remediation
 53
 54- Immediately disable the forwarding rule by accessing the affected user's mailbox settings in Microsoft 365 and removing any unauthorized forwarding rules.
 55- Conduct a thorough review of the affected user's email account for any signs of compromise, such as unusual login activity or unauthorized changes to account settings.
 56- Reset the password for the affected user's account and enforce multi-factor authentication (MFA) to prevent further unauthorized access.
 57- Notify the user and relevant IT security personnel about the incident, providing details of the unauthorized rule and any potential data exposure.
 58- Escalate the incident to the security operations team for further investigation and to determine if other accounts may have been targeted or compromised.
 59- Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activity or rule changes.
 60- Review and update email security policies and configurations to prevent similar incidents, ensuring that forwarding rules are monitored and restricted as necessary.
 61
 62## Setup
 63
 64The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 65references = [
 66    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
 67    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
 68    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
 69    "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf",
 70]
 71risk_score = 47
 72rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78"
 73severity = "medium"
 74tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection", "Resources: Investigation Guide"]
 75timestamp_override = "event.ingested"
 76type = "query"
 77
 78query = '''
 79event.dataset:o365.audit and event.provider:Exchange and
 80event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and
 81    (
 82        o365.audit.Parameters.ForwardTo:* or
 83        o365.audit.Parameters.ForwardAsAttachmentTo:* or
 84        o365.audit.Parameters.RedirectTo:*
 85    )
 86    and event.outcome:success
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1114"
 94name = "Email Collection"
 95reference = "https://attack.mitre.org/techniques/T1114/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1114.003"
 98name = "Email Forwarding Rule"
 99reference = "https://attack.mitre.org/techniques/T1114/003/"
100
101
102
103[rule.threat.tactic]
104id = "TA0009"
105name = "Collection"
106reference = "https://attack.mitre.org/tactics/TA0009/"