M365 Suspicious Exchange Transport Rule

View all detections
M365 Suspicious Exchange Transport Rule


  • A new Exchange transport rule has been created with a potentially risky action that may provide email collection, exfiltration, or deletion capabilities (BlindCopyTo, CopyTo, Delete).

Possible Root Causes

  • An attacker has gained Exchange administrator access with the capabilities of forwarding sensitive emails prior to their arrival in a user’s inbox to an attacker controlled email address (internal or external).
  • An attacker may be preparing to delete important emails prior to their arrival in a user’s inbox to prevent important alerts or notifications from occurring.
  • A legitimate transport rule was added to support business requirements or prevent dangerous emails from reaching user inboxes.

Business Impact

  • Because email services are critical to so many enterprise activities, attackers prioritize access both as a means of progressing an attack as well as a mechanism for data exfiltration.
  • Forwarded emails may expose sensitive data.
  • Deleted emails may mask security alerts or important emails alerting an organization to a breach.
  • The combination of forwarded and deleted emails may allow an external party to impersonate internal users to further their goals.

Steps to Verify

  • Validate the new transport rule serves a business purpose, does not create a risk of data exposure, and has been implemented according to proper change control processes.