M365 Suspicious Exchange Transport Rule
Detection overview
Triggers
- A new Exchange transport rule has been created with a potentially risky action that may provide email collection, exfiltration, or deletion capabilities (BlindCopyTo, CopyTo, Delete).
Possible Root Causes
- An attacker has gained Exchange administrator access with the capabilities of forwarding sensitive emails prior to their arrival in a user’s inbox to an attacker controlled email address (internal or external).
- An attacker may be preparing to delete important emails prior to their arrival in a user’s inbox to prevent important alerts or notifications from occurring.
- A legitimate transport rule was added to support business requirements or prevent dangerous emails from reaching user inboxes.
Business Impact
- Because email services are critical to so many enterprise activities, attackers prioritize access both as a means of progressing an attack as well as a mechanism for data exfiltration.
- Forwarded emails may expose sensitive data.
- Deleted emails may mask security alerts or important emails alerting an organization to a breach.
- The combination of forwarded and deleted emails may allow an external party to impersonate internal users to further their goals.
Steps to Verify
- Validate the new transport rule serves a business purpose, does not create a risk of data exposure, and has been implemented according to proper change control processes.
M365 Suspicious Exchange Transport Rule
Possible root causes
Malicious Detection
Benign Detection
M365 Suspicious Exchange Transport Rule
Example scenarios
M365 Suspicious Exchange Transport Rule
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspicious Exchange Transport Rule
Steps to investigate
M365 Suspicious Exchange Transport Rule
Related detections
No items found.