Identifying, evaluating and tracking user created email forward rules with Microsoft M365 E3

In the digital age, communication flows effortlessly through emails, connecting individuals and businesses across the globe. Microsoft 365 (M365), a comprehensive suite of productivity tools, has revolutionized the way we collaborate. However, this convenience comes with potential security vulnerabilities, particularly when it comes to user-created email forward rules. In this blog post, we will delve into the risks posed by auto-forward rules, both in the context of business email compromise attacks and malicious insider threats. We will also explore how Microsoft M365 E3 can be leveraged to identify, evaluate, and track these rules for enhanced email security.

In case you missed it last time, please check out:

  1. Part 1: Who / What / Why does the mid-market all have Microsoft M365 E3 licenses

  2. Part 2: How does Microsoft M365 E3 work with the non-Microsoft ecosystem applications?

  3. Part 3: Discovering user consented apps with Microsoft M365 E3

  4. Part 4: Identifying and removing inactive users with Microsoft M365 E3

  5. Part 5: Calculating inferred or effective MFA for non-Microsoft applications

  6. Part 6: Privileged Access Management in non-SCIM apps with Microsoft M365 E3

  7. Part 7: Identifying, Evaluating, and Tracking Open Shares for External Users with Microsoft M365 E3

  8. Part 8: Keeping Abreast of Changes in User Permissions, Configuration, and Access with Microsoft M365 E3

  9. Part 9: Discovering and Reporting on DLP Alerts Older than 7 Days with Microsoft M365 E3

The Double-Edged Sword: Auto-Forward Rules

Auto-forward rules in email clients are designed to streamline communication by automatically forwarding incoming emails to another email address. While these rules offer convenience, they also open the door to security risks that organizations must be aware of:

Business Email Compromise (BEC) Attacks: BEC attacks involve cybercriminals impersonating a trusted entity to manipulate individuals into divulging sensitive information or transferring funds. Auto-forward rules can be exploited to silently intercept crucial business communications, providing attackers with real-time insights into company operations, negotiation strategies, and financial transactions. This insight equips attackers with the knowledge needed to craft convincing social engineering tactics, making BEC attacks even more potent.

Malicious Insider Threats: Insiders with malicious intent can exploit auto-forward rules to exfiltrate sensitive information without triggering traditional security alerts. These insiders might be disgruntled employees seeking to harm the organization or individuals motivated by financial gain. By forwarding sensitive information externally, these insiders can compromise sensitive data, trade secrets, proprietary information, and even customer data, all while evading detection.

Identifying Risks with Microsoft M365 E3:

Microsoft M365 E3 offers a robust suite of security tools that can assist in identifying and mitigating the risks associated with user-created auto-forward rules:

  1. Unified Logging and Reporting: M365 E3 enables organizations to monitor and track user activities through unified logging and reporting. Administrators can analyze email forwarding patterns and identify anomalies that might indicate unauthorized auto-forward rules.

  2. Data Loss Prevention (DLP): M365 E3's DLP feature allows organizations to define policies that prevent the unauthorized sharing of sensitive data. It can automatically block or trigger alerts when emails containing sensitive information are forwarded externally.

  3. Advanced Threat Protection (ATP): M365 E3's ATP component employs machine learning algorithms to analyze email behavior and identify anomalies. This technology can flag suspicious auto-forwarding activities, enabling timely response.

  4. Evaluation of rules: M365 E3’s flexible approach to operations allows connecting to Exchange Online with PowerShell and checking all mailboxes for the presence of auto-forward rules. This will allow administrators to make risk based decisions on if mail forward rules are to be accepted. 

Implementing a Comprehensive Approach:

To effectively address the risks of auto-forward rules, organizations should consider adopting a comprehensive approach that encompasses the following steps:

  1. Policy Establishment: Craft clear and concise email usage policies that outline acceptable email forwarding practices. Employees should be educated about the potential risks of auto-forward rules and the consequences of misuse.

  2. User Training and Awareness: Regular training sessions can help employees recognize the signs of BEC attacks and malicious insider behavior. Increased awareness can empower users to report suspicious activities promptly.

  3. Regular Audits: Conduct routine audits of auto-forwarding rules to identify unauthorized configurations. Automated scripts or tools can help streamline this process, ensuring that no rule goes unnoticed.

  4. Incident Response Plans: Develop and communicate incident response plans that outline the steps to be taken if suspicious auto-forwarding activities are detected. This preparedness can minimize the impact of potential breaches.


Use Powershell to complete a baseline audit

In order to investigate potential BEC, innocent  or malicious auto-forward rules the first step is developing a baseline. To help you create that baseline I’ve written a simple PowerShell that will connect to Exchange Online, iterate through all the mailboxes and dump out the presence of auto-forward rules. It will export those rules to a CSV with the DisplayName, Rule Name and recipient email address in it.

# Connect to Exchange Online

$UserCredential = Get-Credential

Connect-ExchangeOnline -UserPrincipalName $UserCredential.UserName -ShowProgress $true

# Get all users in the organization

$AllUsers = Get-Mailbox -ResultSize Unlimited

# Initialize an array to store auto-forward rule details

$AutoForwardRules = @()

# Loop through each user and check for auto-forward rules

foreach ($User in $AllUsers) {

$UserPrincipalName = $User.UserPrincipalName

$AutoForwardRule = Get-InboxRule -Mailbox $UserPrincipalName | Where-Object { $_.ForwardTo -ne $null -or $_.ForwardAsAttachmentTo -ne $null }

if ($AutoForwardRule) {

     foreach ($Rule in $AutoForwardRule) {

         $AutoForwardRules += New-Object PSObject -Property @{

             "MailboxName" = $UserPrincipalName

             "RuleName" = $Rule.Name

             "RecipientEmail" = $Rule.ForwardTo

         }

     }

}

}

# Export auto-forward rule details to CSV

if ($AutoForwardRules.Count -gt 0) {

$AutoForwardRules | Export-Csv -Path "AutoForwardRules.csv" -NoTypeInformation

Write-Host "Auto-forward rule details exported to AutoForwardRules.csv."

} else {

Write-Host "No user-created auto-forward rules found in the organization."

}

# Disconnect from Exchange Online

Disconnect-ExchangeOnline -Confirm:$false



Remember!! to test the script in a non-production environment and thoroughly review before running it in production. 

Once you have these saved over time you can tune and monitor for reduction and / or use it to identify incidents or potential bad actors in your organization.



Conclusion: Safeguarding Email Communication

User-created auto-forward rules, while designed for convenience, can introduce significant security risks to an organization. Microsoft M365 E3 offers a range of tools to detect and mitigate these risks, providing administrators with the means to track, evaluate, and prevent unauthorized forwarding activities. 

By implementing a comprehensive strategy that includes user education, policy enforcement, and robust security measures, organizations can effectively safeguard their email communication from the ever-evolving threats posed by BEC attacks and malicious insiders. As email remains a cornerstone of modern business communication, ensuring its security is paramount for maintaining trust, confidentiality, and operational continuity.

Security thought for the week

BEC attack started being reported around 2012-2013 and was estimated by the FBI to have hit $22 billion USD in 2022. These incidents typically involve cybercriminals targeting employees responsible for financial transactions, such as CFOs or finance department personnel, with requests for fund transfers or payment changes.

One infamous early example is the case of "Mattel v. Zhao" in 2015. In this incident, a Chinese-based cybercriminal group targeted the email accounts of a finance executive at Mattel, a major toy manufacturer. The criminals sent seemingly legitimate emails to the executive, requesting payment transfers to a bank account under their control. The attack resulted in Mattel wiring nearly $3 million to the fraudulent account.

Till then, stay secure.

Adrian

Previous
Previous

Tracking changes in user consented applications with Microsoft M365 E3

Next
Next

Discovering and Reporting on DLP Alerts Older than 7 Days with Microsoft M365 E3