Microsoft 365 Exchange Transport Rule Creation
Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should
11not be set to forward email to domains outside of your organization. An adversary may create transport rules to
12exfiltrate data.
13"""
14false_positives = [
15 """
16 A new transport rule may be created by a system or network administrator. Verify that the configuration change was
17 expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Transport Rule Creation"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
30 "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
31]
32risk_score = 47
33rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02"
34severity = "medium"
35tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1537"
48name = "Transfer Data to Cloud Account"
49reference = "https://attack.mitre.org/techniques/T1537/"
50
51
52[rule.threat.tactic]
53id = "TA0010"
54name = "Exfiltration"
55reference = "https://attack.mitre.org/tactics/TA0010/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Transport Rule Modification
- Microsoft 365 Mass download by a single user
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DLP Policy Removed