Microsoft 365 Exchange Transport Rule Creation

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should
11not be set to forward email to domains outside of your organization. An adversary may create transport rules to
12exfiltrate data.
13"""
14false_positives = [
15    """
16    A new transport rule may be created by a system or network administrator. Verify that the configuration change was
17    expected. Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Transport Rule Creation"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Microsoft 365 Exchange Transport Rule Creation
31
32Microsoft 365 Exchange transport rules automate email handling, applying actions like forwarding or blocking based on conditions. While beneficial for managing communications, adversaries can exploit these rules to redirect emails externally, facilitating data exfiltration. The detection rule monitors successful creation of new transport rules, flagging potential misuse by identifying specific actions and outcomes in audit logs.
33
34### Possible investigation steps
35
36- Review the audit logs for the event.dataset:o365.audit to identify the user account responsible for creating the new transport rule.
37- Examine the event.provider:Exchange and event.category:web fields to confirm the context and source of the rule creation.
38- Investigate the event.action:"New-TransportRule" to understand the specific conditions and actions defined in the newly created transport rule.
39- Check the event.outcome:success to ensure the rule creation was completed successfully and assess if it aligns with expected administrative activities.
40- Analyze the transport rule settings to determine if it includes actions that forward emails to external domains, which could indicate potential data exfiltration.
41- Correlate the findings with other security events or alerts to identify any patterns or anomalies that might suggest malicious intent.
42
43### False positive analysis
44
45- Routine administrative tasks may trigger alerts when IT staff create or modify transport rules for legitimate purposes. To manage this, establish a baseline of expected rule creation activities and exclude these from alerts.
46- Automated systems or third-party applications that integrate with Microsoft 365 might create transport rules as part of their normal operation. Identify these systems and create exceptions for their known actions.
47- Changes in organizational policies or email handling procedures can lead to legitimate rule creations. Document these changes and update the monitoring system to recognize them as non-threatening.
48- Regular audits or compliance checks might involve creating temporary transport rules. Coordinate with audit teams to schedule these activities and temporarily adjust alert thresholds or exclusions during these periods.
49
50### Response and remediation
51
52- Immediately disable the newly created transport rule to prevent further unauthorized email forwarding or data exfiltration.
53- Conduct a thorough review of the audit logs to identify any other suspicious transport rules or related activities that may indicate a broader compromise.
54- Isolate the affected user accounts or systems associated with the creation of the transport rule to prevent further unauthorized access or actions.
55- Reset passwords and enforce multi-factor authentication for the affected accounts to secure access and prevent recurrence.
56- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
57- Escalate the incident to the incident response team if there is evidence of a broader compromise or if sensitive data has been exfiltrated.
58- Implement enhanced monitoring and alerting for transport rule changes to detect and respond to similar threats more effectively in the future.
59
60## Setup
61
62The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = [
64    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
65    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
66]
67risk_score = 47
68rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02"
69severity = "medium"
70tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"]
71timestamp_override = "event.ingested"
72type = "query"
73
74query = '''
75event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success
76'''
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1537"
83name = "Transfer Data to Cloud Account"
84reference = "https://attack.mitre.org/techniques/T1537/"
85
86
87[rule.threat.tactic]
88id = "TA0010"
89name = "Exfiltration"
90reference = "https://attack.mitre.org/tactics/TA0010/"