5.7 Ensure mail forwarding rules are reviewed at least weekly

Information

You should review mail forwarding rules to external domains at least every week.

Rationale:

While there are lots of legitimate uses of mail forwarding rules, they are also a popular data exfiltration tactic for attackers. You should review them regularly to ensure your users' email is not being exfiltrated.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review mail forwarding rules, use the Microsoft 365 Admin Center:

Go to Exchange admin center.

Expand Reports then select Mail flow.

Click on Auto forwarded messages report.

Review

To review mail forwarding rules, use the following Powershell script:
Uses the administrator user credential to export Mail forwarding rules, User Delegates and SMTP Forwarding policies to multiple csv files. First connect to Exchange Online by using connect-exopssession

$allUsers = @()
$AllUsers = Get-MsolUser -All -EnabledFilter EnabledOnly | select ObjectID, UserPrincipalName, FirstName, LastName, StrongAuthenticationRequirements, StsRefreshTokensValidFrom, StrongPasswordRequired, LastPasswordChangeTimestamp | Where-Object {($_.UserPrincipalName -notlike '*#EXT#*')}

$UserInboxRules = @()
$UserDelegates = @()

foreach ($User in $allUsers)
{
Write-Host 'Checking inbox rules and delegates for user: ' $User.UserPrincipalName;
$UserInboxRules += Get-InboxRule -Mailbox $User.UserPrincipalname | Select Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage | Where-Object {($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectsTo -ne $null)}
$UserDelegates += Get-MailboxPermission -Identity $User.UserPrincipalName | Where-Object {($_.IsInherited -ne 'True') -and ($_.User -notlike '*SELF*')}
}

$SMTPForwarding = Get-Mailbox -ResultSize Unlimited | select DisplayName,ForwardingAddress,ForwardingSMTPAddress,DeliverToMailboxandForward | where {$_.ForwardingSMTPAddress -ne $null}

# Export list of inboxRules, Delegates and SMTP Forwards
$UserInboxRules | Export-Csv MailForwardingRulesToExternalDomains.csv
$UserDelegates | Export-Csv MailboxDelegatePermissions.csv
$SMTPForwarding | Export-Csv Mailboxsmtpforwarding.csv

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: 68b2689a42a871e7f5c25fb39c0cb78fe3d4eb035cce312520ab082322210860