This detection identifies unusual modifications to Exchange transport rules in a Microsoft 365 environment, which may indicate malicious activity or policy misconfiguration. Exchange transport rules, typically used for email traffic management, can be abused to intercept, redirect, or alter communications, posing a significant security threat.
Threat actors may modify Exchange transport rules to establish covert email forwarding, allowing them to monitor internal communications, exfiltrate sensitive data, or propagate phishing campaigns. This tactic is commonly used post-compromise to maintain access and exploit the environment.
Administrators may update transport rules for legitimate purposes, such as compliance, email redirection for troubleshooting, or custom workflows. However, lack of oversight or documentation might make these changes appear suspicious.
An attacker gains access to an admin account and creates a rule forwarding executive emails to an external address, facilitating espionage.
An admin inadvertently creates a rule that blocks critical internal emails, hindering workflow and causing delays.
If this detection indicates a genuine threat, the organization faces significant risks:
Email forwarding to unauthorized addresses could result in exposure of sensitive data.
Misconfigured or malicious rules might lead to breaches of privacy or data handling regulations.
Altered or misrouted email traffic can disrupt business communication, reducing productivity.
Review the modified or added rule to confirm its purpose and alignment with business needs.
Determine the user or account responsible for the modification, noting any signs of compromise.
Check for additional suspicious activity related to the account or entity that made the changes.
Analyze email logs to identify unauthorized forwarding, data exfiltration, or other unusual activity.
A policy configured in Exchange to manage the flow and content of email messages.
Yes, especially if there’s poor documentation or notification of administrative updates.
Examine Exchange audit logs, email traffic logs, and administrative action logs.
They often signify data exfiltration or unauthorized monitoring.
Regular audits should be part of routine security and compliance checks.
Look for unusual destinations, conditions, or actions inconsistent with standard practices.
It highlights potential misuse of email management, a critical vector in many attacks.
Use M365 Security & Compliance Center and third-party forensic tools for deeper insight.
Disable the rule, assess account compromise, and strengthen access controls.
Educating administrators on proper rule management and documentation.