Detections
Analytics

6.4.1 Ensure mail forwarding rules are reviewed at least weekly

Information

The Exchange Online environment can be configured in a way that allows for automatic forwarding of e-mail. This can be done using Transport Rules in the Admin Center, Auto Forwarding per mailbox, and client-based rules in Outlook. Administrators and users both are given several methods to automatically and quickly send e-mails outside of your organization.

Rationale:

Reviewing mail forwarding rules will provide the Messaging Administrator with insight into possible attempts to exfiltrate data from the organization. Weekly review helps create a recognition of baseline, legitimate activity of users. This will aid in helping identify the more malicious activity of bad actors when/if they choose to use this side-channel.

Impact:

There is no impact to reviewing these reports.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review mail forwarding rules:

Navigate to Exchange admin center https://admin.exchange.microsoft.com.

Expand Reports then select Mail flow.

Click on Auto forwarded messages report.

Review.

Note: Mail flow reports cannot be viewed from the Classic Exchange Admin Center
To review mail forwarding rules using PowerShell:

Connect to Exchange Online PowerShell using Connect-ExchangeOnline

# Uses the administrator user credential to export Mail forwarding rules, User Delegates
# and SMTP Forwarding policies to multiple csv files.

$allUsers = Get-User -ResultSize Unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox' } |
 Where-Object {$_.AccountDisabled -like 'False'}

$UserInboxRules = @()
$UserDelegates = @()

foreach ($User in $allUsers) {
 Write-Host 'Checking inbox rules and delegates for user: ' $User.UserPrincipalName
 $UserInboxRules += Get-InboxRule -Mailbox $User.UserPrincipalName |
 Select-Object Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage |
 Where-Object { ($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectsTo -ne $null) }
 $UserDelegates += Get-MailboxPermission -Identity $User.UserPrincipalName |
 Where-Object { ($_.IsInherited -ne 'True') -and ($_.User -notlike '*SELF*') }
}

$SMTPForwarding = Get-Mailbox -ResultSize Unlimited |
 Select-Object DisplayName, ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxandForward |
 Where-Object {$_.ForwardingSMTPAddress -ne $null}

# Export list of inbox rules, delegates, and SMTP forwards
$UserInboxRules | Export-Csv MailForwardingRulesToExternalDomains.csv -NoTypeInformation
$UserDelegates | Export-Csv MailboxDelegatePermissions.csv -NoTypeInformation
$SMTPForwarding | Export-Csv Mailboxsmtpforwarding.csv -NoTypeInformation

See Also

https://workbench.cisecurity.org/benchmarks/12934

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: 231ae9fbd933e4d7b64ccf95ca79afa14bddd66f5f5e25e5d2e64aef92e42e63