Detections
Analytics

5.7 Ensure mail forwarding rules are reviewed at least weekly

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The Exchange Online environment can be configured in a way that allows for automatic forwarding of e-mail. This can be done using Transport Rules in the Admin Center, Auto Forwarding per mailbox, and client-based rules in Outlook. Administrators and users both are given several methods to automatically and quickly send e-mails outside of your organization.

Rationale:

Reviewing mail forwarding rules will provide the Messaging Administrator insight into possible attempts to exfiltrate data from the organization. Weekly review helps create a recognition of baseline, legitimate activity of users. This will aide in helping identify the more malicious activity of bad actors when/if they choose to use this side-channel.

Impact:

There is no impacting to reviewing these reports.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review mail forwarding rules, use the Microsoft 365 Admin Center:

Go to Exchange admin center.

Expand Reports then select Mail flow.

Click on Auto forwarded messages report.

Review

Note: Mail flow reports cannot be viewed from the Classic Exchange Admin Center

To review mail forwarding rules, use the following PowerShell script:
Uses the administrator user credential to export Mail forwarding rules, User Delegates and SMTP Forwarding policies to multiple csv files. First connect to Exchange Online and Azure Active Directory by using both Connect-ExchangeOnline and Connect-MsolService

$allUsers = @()
$AllUsers = Get-MsolUser -All -EnabledFilter EnabledOnly | select ObjectID, UserPrincipalName, FirstName, LastName, StrongAuthenticationRequirements, StsRefreshTokensValidFrom, StrongPasswordRequired, LastPasswordChangeTimestamp | Where-Object {($_.UserPrincipalName -notlike '*#EXT#*')}

$UserInboxRules = @()
$UserDelegates = @()

foreach ($User in $allUsers)
{
 Write-Host 'Checking inbox rules and delegates for user: ' $User.UserPrincipalName;
 $UserInboxRules += Get-InboxRule -Mailbox $User.UserPrincipalname | Select Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage | Where-Object {($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectsTo -ne $null)}
 $UserDelegates += Get-MailboxPermission -Identity $User.UserPrincipalName | Where-Object {($_.IsInherited -ne 'True') -and ($_.User -notlike '*SELF*')}
}

$SMTPForwarding = Get-Mailbox -ResultSize Unlimited | select DisplayName,ForwardingAddress,ForwardingSMTPAddress,DeliverToMailboxandForward | where {$_.ForwardingSMTPAddress -ne $null}

# Export list of inboxRules, Delegates and SMTP Forwards
$UserInboxRules | Export-Csv MailForwardingRulesToExternalDomains.csv
$UserDelegates | Export-Csv MailboxDelegatePermissions.csv
$SMTPForwarding | Export-Csv Mailboxsmtpforwarding.csv

See Also

https://workbench.cisecurity.org/files/4073

Item Details

References: CSCv7|6.2

Plugin: microsoft_azure

Control ID: 68b2689a42a871e7f5c25fb39c0cb78fe3d4eb035cce312520ab082322210860