Microsoft 365 Exchange Transport Rule Modification

Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport
11rules) are used to identify and take action on messages that flow through your organization. An adversary or insider
12threat may modify a transport rule to exfiltrate data or evade defenses.
13"""
14false_positives = [
15    """
16    A transport rule may be modified by a system or network administrator. Verify that the configuration change was
17    expected. Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Transport Rule Modification"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Microsoft 365 Exchange Transport Rule Modification
31
32Microsoft 365 Exchange transport rules manage email flow by setting conditions and actions for messages. Adversaries may exploit these rules to disable or delete them, facilitating data exfiltration or bypassing security measures. The detection rule monitors audit logs for successful execution of commands that alter these rules, signaling potential misuse and enabling timely investigation.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.dataset:o365.audit entries with event.provider:Exchange to confirm the occurrence of the "Remove-TransportRule" or "Disable-TransportRule" actions.
37- Identify the user account associated with the event by examining the user information in the audit logs to determine if the action was performed by an authorized individual or a potential adversary.
38- Check the event.category:web context to understand if the action was performed through a web interface, which might indicate a compromised account or unauthorized access.
39- Investigate the event.outcome:success to ensure that the rule modification was indeed successful and not an attempted action.
40- Correlate the timing of the rule modification with other security events or alerts to identify any concurrent suspicious activities that might suggest a broader attack or data exfiltration attempt.
41- Assess the impact of the rule modification by reviewing the affected transport rules to determine if they were critical for security or compliance, and evaluate the potential risk to the organization.
42
43### False positive analysis
44
45- Routine administrative changes to transport rules by IT staff can trigger alerts. To manage this, maintain a list of authorized personnel and their expected activities, and create exceptions for these users in the monitoring system.
46- Scheduled maintenance or updates to transport rules may result in false positives. Document these activities and adjust the monitoring system to temporarily exclude these events during known maintenance windows.
47- Automated scripts or third-party tools that manage transport rules might cause alerts. Identify these tools and their typical behavior, then configure the monitoring system to recognize and exclude these benign actions.
48- Changes made as part of compliance audits or security assessments can be mistaken for malicious activity. Coordinate with audit teams to log these activities separately and adjust the monitoring system to account for these legitimate changes.
49
50### Response and remediation
51
52- Immediately disable any compromised accounts identified in the audit logs to prevent further unauthorized modifications to transport rules.
53- Revert any unauthorized changes to transport rules by restoring them to their previous configurations using backup data or logs.
54- Conduct a thorough review of all transport rules to ensure no additional unauthorized modifications have been made, and confirm that all rules align with organizational security policies.
55- Implement additional monitoring on the affected accounts and transport rules to detect any further suspicious activities or attempts to modify rules.
56- Escalate the incident to the security operations team for a deeper investigation into potential data exfiltration activities and to assess the scope of the breach.
57- Coordinate with legal and compliance teams to determine if any regulatory reporting is required due to potential data exfiltration.
58- Enhance security measures by enabling multi-factor authentication (MFA) for all administrative accounts and reviewing access permissions to ensure the principle of least privilege is enforced.
59
60## Setup
61
62The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = [
64    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
65    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
66    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
67]
68risk_score = 47
69rule_id = "272a6484-2663-46db-a532-ef734bf9a796"
70severity = "medium"
71tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"]
72timestamp_override = "event.ingested"
73type = "query"
74
75query = '''
76event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success
77'''
78
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1537"
84name = "Transfer Data to Cloud Account"
85reference = "https://attack.mitre.org/techniques/T1537/"
86
87
88[rule.threat.tactic]
89id = "TA0010"
90name = "Exfiltration"
91reference = "https://attack.mitre.org/tactics/TA0010/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Microsoft 365 Exchange Transport Rule Modification

Microsoft 365 Exchange transport rules manage email flow by setting conditions and actions for messages. Adversaries may exploit these rules to disable or delete them, facilitating data exfiltration or bypassing security measures. The detection rule monitors audit logs for successful execution of commands that alter these rules, signaling potential misuse and enabling timely investigation.

Possible investigation steps

  • Review the audit logs for the specific event.dataset:o365.audit entries with event.provider:Exchange to confirm the occurrence of the "Remove-TransportRule" or "Disable-TransportRule" actions.
  • Identify the user account associated with the event by examining the user information in the audit logs to determine if the action was performed by an authorized individual or a potential adversary.
  • Check the event.category:web context to understand if the action was performed through a web interface, which might indicate a compromised account or unauthorized access.
  • Investigate the event.outcome:success to ensure that the rule modification was indeed successful and not an attempted action.
  • Correlate the timing of the rule modification with other security events or alerts to identify any concurrent suspicious activities that might suggest a broader attack or data exfiltration attempt.
  • Assess the impact of the rule modification by reviewing the affected transport rules to determine if they were critical for security or compliance, and evaluate the potential risk to the organization.

False positive analysis

  • Routine administrative changes to transport rules by IT staff can trigger alerts. To manage this, maintain a list of authorized personnel and their expected activities, and create exceptions for these users in the monitoring system.
  • Scheduled maintenance or updates to transport rules may result in false positives. Document these activities and adjust the monitoring system to temporarily exclude these events during known maintenance windows.
  • Automated scripts or third-party tools that manage transport rules might cause alerts. Identify these tools and their typical behavior, then configure the monitoring system to recognize and exclude these benign actions.
  • Changes made as part of compliance audits or security assessments can be mistaken for malicious activity. Coordinate with audit teams to log these activities separately and adjust the monitoring system to account for these legitimate changes.

Response and remediation

  • Immediately disable any compromised accounts identified in the audit logs to prevent further unauthorized modifications to transport rules.
  • Revert any unauthorized changes to transport rules by restoring them to their previous configurations using backup data or logs.
  • Conduct a thorough review of all transport rules to ensure no additional unauthorized modifications have been made, and confirm that all rules align with organizational security policies.
  • Implement additional monitoring on the affected accounts and transport rules to detect any further suspicious activities or attempts to modify rules.
  • Escalate the incident to the security operations team for a deeper investigation into potential data exfiltration activities and to assess the scope of the breach.
  • Coordinate with legal and compliance teams to determine if any regulatory reporting is required due to potential data exfiltration.
  • Enhance security measures by enabling multi-factor authentication (MFA) for all administrative accounts and reviewing access permissions to ensure the principle of least privilege is enforced.

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top