M365 Suspicious Exchange Transport Rule

M365 Suspicious Exchange Transport Rule

Detection overview

Triggers

  • A new Exchange transport rule has been created with a potentially risky action that may provide email collection, exfiltration, or deletion capabilities (BlindCopyTo, CopyTo, Delete).

Possible Root Causes

  • An attacker has gained Exchange administrator access with the capabilities of forwarding sensitive emails prior to their arrival in a user’s inbox to an attacker controlled email address (internal or external).
  • An attacker may be preparing to delete important emails prior to their arrival in a user’s inbox to prevent important alerts or notifications from occurring.
  • A legitimate transport rule was added to support business requirements or prevent dangerous emails from reaching user inboxes.

Business Impact

  • Because email services are critical to so many enterprise activities, attackers prioritize access both as a means of progressing an attack as well as a mechanism for data exfiltration.
  • Forwarded emails may expose sensitive data.
  • Deleted emails may mask security alerts or important emails alerting an organization to a breach.
  • The combination of forwarded and deleted emails may allow an external party to impersonate internal users to further their goals.

Steps to Verify

  • Validate the new transport rule serves a business purpose, does not create a risk of data exposure, and has been implemented according to proper change control processes.
M365 Suspicious Exchange Transport Rule

Possible root causes

Malicious Detection

Benign Detection

M365 Suspicious Exchange Transport Rule

Example scenarios

M365 Suspicious Exchange Transport Rule

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Suspicious Exchange Transport Rule

Steps to investigate

M365 Suspicious Exchange Transport Rule

MITRE ATT&CK techniques covered

M365 Suspicious Exchange Transport Rule

Related detections

No items found.

FAQs