M365 Suspicious Exchange Transport Rule
Detection overview
This detection identifies unusual modifications to Exchange transport rules in a Microsoft 365 environment, which may indicate malicious activity or policy misconfiguration. Exchange transport rules, typically used for email traffic management, can be abused to intercept, redirect, or alter communications, posing a significant security threat.
Triggers
- A new Exchange transport rule has been created with a potentially risky action that may provide email collection, exfiltration, or deletion capabilities (BlindCopyTo, CopyTo, Delete).
Possible Root Causes
- An attacker has gained Exchange administrator access with the capabilities of forwarding sensitive emails prior to their arrival in a user’s inbox to an attacker controlled email address (internal or external).
- An attacker may be preparing to delete important emails prior to their arrival in a user’s inbox to prevent important alerts or notifications from occurring.
- A legitimate transport rule was added to support business requirements or prevent dangerous emails from reaching user inboxes.
Business Impact
- Because email services are critical to so many enterprise activities, attackers prioritize access both as a means of progressing an attack as well as a mechanism for data exfiltration.
- Forwarded emails may expose sensitive data.
- Deleted emails may mask security alerts or important emails alerting an organization to a breach.
- The combination of forwarded and deleted emails may allow an external party to impersonate internal users to further their goals.
Steps to Verify
- Validate the new transport rule serves a business purpose, does not create a risk of data exposure, and has been implemented according to proper change control processes.
M365 Suspicious Exchange Transport Rule
Possible root causes
Malicious Detection
Threat actors may modify Exchange transport rules to establish covert email forwarding, allowing them to monitor internal communications, exfiltrate sensitive data, or propagate phishing campaigns. This tactic is commonly used post-compromise to maintain access and exploit the environment.
Benign Detection
Administrators may update transport rules for legitimate purposes, such as compliance, email redirection for troubleshooting, or custom workflows. However, lack of oversight or documentation might make these changes appear suspicious.
M365 Suspicious Exchange Transport Rule
Example scenarios
1. Compromised account redirecting emails
An attacker gains access to an admin account and creates a rule forwarding executive emails to an external address, facilitating espionage.
2. Misconfigured rule causing operational disruption
An admin inadvertently creates a rule that blocks critical internal emails, hindering workflow and causing delays.
M365 Suspicious Exchange Transport Rule
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data leakage risk
Email forwarding to unauthorized addresses could result in exposure of sensitive data.
Compliance violations
Misconfigured or malicious rules might lead to breaches of privacy or data handling regulations.
Operational disruption
Altered or misrouted email traffic can disrupt business communication, reducing productivity.
M365 Suspicious Exchange Transport Rule
Steps to investigate
Validate rule changes
Review the modified or added rule to confirm its purpose and alignment with business needs.
Identify the source of the change
Determine the user or account responsible for the modification, noting any signs of compromise.
Audit associated accounts
Check for additional suspicious activity related to the account or entity that made the changes.
Assess email flow
Analyze email logs to identify unauthorized forwarding, data exfiltration, or other unusual activity.
M365 Suspicious Exchange Transport Rule
Related detections
FAQs
What is an Exchange transport rule?
A policy configured in Exchange to manage the flow and content of email messages.
Can this detection be a false positive?
Yes, especially if there’s poor documentation or notification of administrative updates.
What logs should I review for this detection?
Examine Exchange audit logs, email traffic logs, and administrative action logs.
Why are external email destinations a red flag?
They often signify data exfiltration or unauthorized monitoring.
How often should I review transport rules?
Regular audits should be part of routine security and compliance checks.
How can I distinguish legitimate rule changes from malicious ones?
Look for unusual destinations, conditions, or actions inconsistent with standard practices.
How does this relate to broader M365 security?
It highlights potential misuse of email management, a critical vector in many attacks.
What tools can assist in analyzing suspicious transport rules?
Use M365 Security & Compliance Center and third-party forensic tools for deeper insight.
What mitigation steps are effective post-detection?
Disable the rule, assess account compromise, and strengthen access controls.
What training can help reduce false alarms?
Educating administrators on proper rule management and documentation.