Suspicious PowerShell Mailbox SMTP Forward Rule

 1title: Suspicious PowerShell Mailbox SMTP Forward Rule
 2id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
 3status: test
 4description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
 5references:
 6    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-10-26
 9tags:
10    - attack.exfiltration
11logsource:
12    product: windows
13    category: ps_script
14    definition: 'Requirements: Script Block Logging must be enabled'
15detection:
16    selection:
17        ScriptBlockText|contains|all:
18            - 'Set-Mailbox '
19            - ' -DeliverToMailboxAndForward '
20            - ' -ForwardingSmtpAddress '
21    condition: selection
22falsepositives:
23    - Legitimate usage of the cmdlet to forward emails
24level: medium

References

• Hunting in On-Premises Exchange Server logs

  

  This will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR. For each log, I’ll try to explain what we can ac…

  
  Read More

Related rules

• APT40 Dropbox Tool User Agent
• AWS EC2 VM Export Failure
• AWS RDS Master Password Change
• AWS S3 Data Management Tampering
• AWS Snapshot Backup Exfiltration