Mastering Email Forwarding Rules in Microsoft 365

In this blog, we present various scenarios in which threat actors can utilise email forwarding rules and the associated evidence in the UAL. Additionally, we have created a comprehensive mind map that summarises the contents of the blog for use in incident detection and response investigations.

This article provides an overview of the threat actor technique of email forwarding rules and the associated evidence in the Unified Audit Log (UAL). It outlines the various scenarios in which a threat actor can utilise email forwarding rules, including the creation of a new mailbox rule, modification or deletion of an existing mailbox rule, creation of a new transport rule, modification or deletion of an existing transport rule, and a security alert generated. It also provides examples of the UAL entries generated for each scenario.

The article explains that there are two types of rules: mailbox rules, which can be configured by the Owner/Admin/Delegate of a mailbox, and transport rules, which can only be configured by users with administrative roles/permissions. It also explains that the UAL is a crucial log for incident response in Microsoft 365 tenants, as it captures both user and admin initiated actions.

The article then provides examples of UAL entries generated for each scenario, such as the ClientIP, Parameters, UserId, ObjectId, RuleOperation, RuleAction, Identity, AppId, and Data fields. It also explains that the Security & Compliance center’s built-in alerts can be used to identify unusual activity in the UAL.

To summarise the contents of the blog, the article provides a mind map that includes the different scenarios and UAL evidence. It also provides further reading resources on BEC and email forwarding rules.

In conclusion, this article provides a comprehensive overview of the threat actor technique of email forwarding rules and the associated evidence in the UAL. It outlines the various scenarios in which a threat actor can utilise email forwarding rules, and provides examples of the UAL entries generated for each scenario. It also explains how the Security & Compliance center’s built-in alerts can be used to identify unusual activity in the UAL. The article provides a mind map that summarises the contents of the blog for use in incident detection and response investigations.

📓 Mastering Email Forwarding Rules in Microsoft 365

👉🏽 In this blog, Invictus Incident Response presents various scenarios in which threat actors can utilise email forwarding rules and the associated evidence in the UAL. Additionally, they have created a comprehensive mind map that summarises the contents of the blog for use in incident detection and response investigations. 👉🏽 Overview of threat actor techniques for data exfiltration using email forwarding rules 👉🏽 Scenarios where threat actors can utilize email forwarding rules 👉🏽 Types of rules: mailbox and transport rules 👉🏽 Importance of Unified Audit Log (UAL) for incident response in Microsoft 365 tenants 👉🏽 UAL entries generated for each scenario. Different UAL logs are generated depending on the method used to configure the rules (O365 Admin Portal, Powershell, Graph API, Outlook Client, OWA) 👉🏽 Use of Security & Compliance center's built-in alerts to identify unusual activity 👉🏽 Mind map provided to summarize contents of blog for incident detection and response investigations 👉🏽 Explanation of ClientIP, Parameters, UserId, ObjectId, RuleOperation, RuleAction, Identity, AppId, and Data fields 👉🏽 Further reading resources on BEC and email forwarding rules 👉🏽 Comprehensive overview of email forwarding rules and associated evidence in UAL.

🔗 source link: https://invictus-ir.medium.com/email-forwarding-rules-in-microsoft-365-295fcb63d4fb

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/mastering-email-forwarding-rules-in-microsoft-365

#EmailForwardingRules #UnifiedAuditLog #Microsoft365 #IncidentResponse #DetectionAndResponse