Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Threat Essentials - Mail redirect via ExO transport rule

Back
Idd7c575b2-84f5-48cb-92c5-70d7e8246284
RulenameThreat Essentials - Mail redirect via ExO transport rule
DescriptionIdentifies when Exchange Online transport rule configured to forward emails.

This could be an adversary mailbox configured to collect mail from multiple user accounts.
SeverityMedium
TacticsCollection
Exfiltration
TechniquesT1114
T1020
Required data connectorsOffice365
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_Mail_redirect_via_ExO_transport_rule.yaml
Version1.0.2
Arm templated7c575b2-84f5-48cb-92c5-70d7e8246284.json
Deploy To Azure
OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| extend p = parse_json(Parameters)
| extend RuleName = case(
  Operation =~ "Set-TransportRule", tostring(OfficeObjectId),
  Operation =~ "New-TransportRule", tostring(p[1].Value),
  "Unknown"
  )
| mvexpand p
| where (p.Name =~ "BlindCopyTo" or p.Name =~ "RedirectMessageTo") and isnotempty(p.Value)
| extend RedirectTo = p.Value
| extend ClientIPOnly = case(
  ClientIP has "." and ClientIP has ":", tostring(split(ClientIP,":")[0]),
  ClientIP has "." and ClientIP has "-", tostring(split(ClientIP,"-")[0]),
  ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
  ClientIP
  )
| extend Port = case(
  ClientIP has "." and ClientIP has ":", (split(ClientIP,":")[1]),
  ClientIP has "." and ClientIP has "-", (split(ClientIP,"-")[1]),
  ClientIP has "[" and ClientIP has ":", tostring(split(ClientIP,"]:")[1]),
  ClientIP has "[" and ClientIP has "-", tostring(split(ClientIP,"]-")[1]),
  ClientIP
  )
| extend ClientIP = ClientIPOnly
| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName
| extend Name=split(UserId, "@")[0], UPNSuffix=split(UserId, "@")[1]
status: Available
id: d7c575b2-84f5-48cb-92c5-70d7e8246284
query: |
  OfficeActivity
  | where OfficeWorkload == "Exchange"
  | where Operation in~ ("New-TransportRule", "Set-TransportRule")
  | extend p = parse_json(Parameters)
  | extend RuleName = case(
    Operation =~ "Set-TransportRule", tostring(OfficeObjectId),
    Operation =~ "New-TransportRule", tostring(p[1].Value),
    "Unknown"
    )
  | mvexpand p
  | where (p.Name =~ "BlindCopyTo" or p.Name =~ "RedirectMessageTo") and isnotempty(p.Value)
  | extend RedirectTo = p.Value
  | extend ClientIPOnly = case(
    ClientIP has "." and ClientIP has ":", tostring(split(ClientIP,":")[0]),
    ClientIP has "." and ClientIP has "-", tostring(split(ClientIP,"-")[0]),
    ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
    ClientIP
    )
  | extend Port = case(
    ClientIP has "." and ClientIP has ":", (split(ClientIP,":")[1]),
    ClientIP has "." and ClientIP has "-", (split(ClientIP,"-")[1]),
    ClientIP has "[" and ClientIP has ":", tostring(split(ClientIP,"]:")[1]),
    ClientIP has "[" and ClientIP has "-", tostring(split(ClientIP,"]-")[1]),
    ClientIP
    )
  | extend ClientIP = ClientIPOnly
  | project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName
  | extend Name=split(UserId, "@")[0], UPNSuffix=split(UserId, "@")[1]  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_Mail_redirect_via_ExO_transport_rule.yaml
description: |
  'Identifies when Exchange Online transport rule configured to forward emails.
  This could be an adversary mailbox configured to collect mail from multiple user accounts.'  
name: Threat Essentials - Mail redirect via ExO transport rule
relevantTechniques:
- T1114
- T1020
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - OfficeActivity
  connectorId: Office365
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.2
kind: Scheduled
tactics:
- Collection
- Exfiltration
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7c575b2-84f5-48cb-92c5-70d7e8246284')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7c575b2-84f5-48cb-92c5-70d7e8246284')]",
      "properties": {
        "alertRuleTemplateName": "d7c575b2-84f5-48cb-92c5-70d7e8246284",
        "customDetails": null,
        "description": "'Identifies when Exchange Online transport rule configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.'\n",
        "displayName": "Threat Essentials - Mail redirect via ExO transport rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_Mail_redirect_via_ExO_transport_rule.yaml",
        "query": "OfficeActivity\n| where OfficeWorkload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n| extend p = parse_json(Parameters)\n| extend RuleName = case(\n  Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\n  Operation =~ \"New-TransportRule\", tostring(p[1].Value),\n  \"Unknown\"\n  )\n| mvexpand p\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\n| extend RedirectTo = p.Value\n| extend ClientIPOnly = case(\n  ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP,\":\")[0]),\n  ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP,\"-\")[0]),\n  ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\n  ClientIP\n  )\n| extend Port = case(\n  ClientIP has \".\" and ClientIP has \":\", (split(ClientIP,\":\")[1]),\n  ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP,\"-\")[1]),\n  ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP,\"]:\")[1]),\n  ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP,\"]-\")[1]),\n  ClientIP\n  )\n| extend ClientIP = ClientIPOnly\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\n| extend Name=split(UserId, \"@\")[0], UPNSuffix=split(UserId, \"@\")[1]\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Exfiltration"
        ],
        "techniques": [
          "T1020",
          "T1114"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}