Detecting Outlook / Exchange data exfiltration
While I was working on a script to configure Office 365 Secure Score settings, I came up with a few scripts that I thought would be helpful in monitoring your messaging environments. Many organizations have policies against data exfiltration, but detecting and enforcing are totally different animals. One method that an attacker can set up a long-running data espionage or exfiltration scheme is to configure your data to be forwarded to a mailbox of their choosing, such as through Exchange Transport Rules or Outlook Inbox rules.
Here are two scripts that you can run periodically in your organization to detect this type of activity. While you may have some valid reasons to configure messages to be forwarded, you also may want to catalog all of the places that this is done.
In a transport rule, there are a number of actions that can be added to route messages externally:
- Add a To Recipient
- Add a Cc Recipient
- Add a Bcc Recipient
- Redirect a message
In any case, if you have a rule with those actions and the recipient is external to your organization, you may want to check those.
To determine if a message has been routed to an external domain, the script performs the following process:
- Collect all of the accepted domains for the Exchange organization
- Collect all of the transport rules
- Cycle through each transport rule looking for the aforementioned actions, and, if the actions are found, check to see if the recipient's domain matches any of the accepted domains
Outlook Inbox Rules
Similar to transport rules, Outlook inbox rules can have a number of actions configured to send mail to external recipients. Using similar logic, we can detect rules with the following actions:
- Redirect a message
- Forward To
- Forward As Attachment
Using the same logic to determine if the recipients specified in those parameters are external to the organization, the script collects all of the inbox rules (which requires Recipient Management permission) and Accepted Domains, and then compares the recipients of any of those actions to the Accepted Domains list, reporting on external destinations.
You can pick up the scripts here:
Audit Transport Rules - https://gallery.technet.microsoft.com/Audit-Transport-Rules-to-1dd8acee
Audit Outlook Inbox Rules - https://gallery.technet.microsoft.com/Audit-Mailbox-Rules-to-60710f28