Microsoft 365 Exchange Transport Rule Creation

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should
13not be set to forward email to domains outside of your organization. An adversary may create transport rules to
14exfiltrate data.
15"""
16false_positives = [
17    """
18    A new transport rule may be created by a system or network administrator. Verify that the configuration change was
19    expected. Exceptions can be added to this rule to filter expected behavior.
20    """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Microsoft 365 Exchange Transport Rule Creation"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = [
31    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
32    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
33]
34risk_score = 47
35rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1537"
50name = "Transfer Data to Cloud Account"
51reference = "https://attack.mitre.org/techniques/T1537/"
52
53
54[rule.threat.tactic]
55id = "TA0010"
56name = "Exfiltration"
57reference = "https://attack.mitre.org/tactics/TA0010/"

References

• New-TransportRule (ExchangePowerShell)

  

  In on-premises Exchange organizations, rules created on Mailbox servers are stored in Active Directory. All Mailbox servers in the organization have access to the same set of rules. On Edge Transport servers, rules are saved in the local copy of Active Directory Lightweight Directory Services (AD LDS). Rules aren't shared or replicated between Edge Transport servers or between Mailbox servers and Edge Transport servers. Also, some conditions and actions are exclusive to each server role. The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

  
  Read More

• Mail flow rules (transport rules) in Exchange Online

  

  Learn about mail flow rules in Exchange Online.

  
  Read More

Related rules

• Microsoft 365 Exchange Transport Rule Modification
• Microsoft 365 Mass download by a single user
• Microsoft 365 Exchange Anti-Phish Policy Deletion
• Microsoft 365 Exchange Anti-Phish Rule Modification
• Microsoft 365 Exchange DLP Policy Removed