How to Build an Exception Rule for Inbox Forwarding Rule Created - Ignore Internal Domain
An Alert based on users creating an Inbox Forwarding Rule is often times a benign false positive as it is an activity performed by some users on a semi-regular basis throughout their regular duties.
This detection identifies the creation of new inbox rules that will forward emails upon receipt to another email address. This technique is used by malicious actors to continuously maintain access to all email messages received by the victim even after the password has been changed. This can be used to maintain access to other accounts associated with the victim email address.
Typically when an employee or monitored user is setting up an email forwarding rule for legitimate purposes, they will be forwarding the emails to internal email domains, such that in the Recipients Field or ForwardTo Field there is an internal domain listed as part of the email target.
Here is an Example Log event snippet which you would see in an Alert Such as this
{
"timestamp": "2024-02-05T09:32:31.000Z",
"source_user": "User 1111",
"service": "o365",
"action": "UpdateInboxRules",
"source_account": "account1@mydomain.com",
"source_json": {
"CreationTime": "2024-02-05T09:32:31",
"Id": "XXXXXXXXXXXXXXXXXXXXX",
"Operation": "UpdateInboxRules",
"OrganizationId": "XXXXXXXXXXXXXXXXXXXXXXXX",
"RecordType": 2,
"ResultStatus": "Succeeded",
"UserKey": "XXXXXXXXXXXXXXXX",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "11.22.33.44",
"UserId": "account1@mydomain.com",
"ClientIPAddress": "11.22.33.44",
"ClientInfoString": "Client=MSExchangeRPC",
"ClientProcessName": "OUTLOOK.EXE",
"ClientRequestId": "{XXXXXXXXXXXXXXXXXXXXXXX}",
"ClientVersion": "XXXXXXXX",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 2,
"LogonUserSid": "XXXXXXXXXXXXXXXXXXXXX",
"MailboxGuid": "XXXXXXXXXXXXX",
"MailboxOwnerMasterAccountSid": "XXXXXXXXXXXXX",
"MailboxOwnerSid": "XXXXXXXXXXXXX",
"MailboxOwnerUPN": "inbox@mydomain.com",
"OperationProperties": [
{
"Name": "RuleOperation",
"Value": "AddMailboxRule"
},
{
"Name": "RuleId",
"Value": "0"
},
{
"Name": "RuleState",
"Value": "0"
},
{
"Name": "RuleCondition",
"Value": "{(&((SubString IgnoreCase(SubjectProperty)=XXXXXXXXXXXXX)(|((SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)))))}"
},
{
"Name": "RuleName",
"Value": "RULE 1"
},
{
"Name": "RuleProvider",
"Value": "RuleOrganizer"
},
{
"Name": "RuleActions",
"Value": "[{"ActionType":"Forward","Recipients":["account2@mydomain.com"],"ForwardFlags":"None"}]"
}
],
"OrganizationName": "mydomain.onmicrosoft.com",
"OriginatingServer": "XXXXXXXXXXXXX (X.X.X.X)
\n",
"SessionId": "XXXXXXXXXXXXX",
"Item": {
"Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
"ParentFolder": {
"Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
"Name": "Bandeja de entrada",
"Path": "\Bandeja de entrada"
}
}
},
"r7_context": {
"source_user": {
"type": "user",
"rrn": "rrn:uba:XXXXXXXXXXXX",
"name": "XXXXXXXXXXXXX"
},
"source_account": {
"type": "account",
"rrn": "rrn:uba:XXXXXXXXXXXX",
"name": "account1@mydomain.com"
}
}
}
Note the email domain of the target lies within the source_json.OperationProperties.6.Value in this instance, and within that same Object it contains the RuleActions in the Name value.
Now the issue with simply creating an Exception to allow when source_json.OperationProperties.6.Value ICONTAINS β@mydomain.comβ is that it is not always in the same position in the array, so the likelihood of your exception being effective is low.
In order to build an exception rule that will be effective, navigate the the Exception Rules Tab from within the Detection Rule Details page, or when viewing the Alert Details for a specific Investigation. Hit Create Exception and add the following rule logic:
where(source_json.OperationProperties.* HAS (Value ICONTAINS-ALL ["Recipients","@mydomain.com"] AND Name = RuleActions))
Adjusting the domain and Name = RuleActions where appropriate.
This HAS Operator allows you to Anchor on an Object which is an Array of Objects, and within that object pass a KVP check to ensure the string within the key βNameβ is RuleActions and that the Value of that same object contains both the internal domain and the word Recipients
Please Note the HAS Operator is currently not supported in Log Search - HAS only works within the Exception Rule and Custom Detection Rule Context
When Validating your Exception rule you should review the Affected vs Unaffected Payloads and ensure that when you create a test inbox forwarding rule to a non internal domain such as gmail.com, this rule still fires as expected.
When building exceptions like this, if you are confident it is correct and will function as expected it is recommend to set the Exception Rule Action to Tracks Notable Event, to keep track of how often it occurs (just in case something abnormal occurs with internal to internal domain forwarding nonetheless). However if you are unsure of the exception and would not like to prevent the Investigations from being created immediately, we would recommend setting the Exception Rule Action to Assess Activity
Assess Activity - this will track the number of detections that occur and generate a relative activity score over the next 7 days. After 7 days, the Rule Action will automatically be switched Off, unless you manually change it. The detection data will not be used in investigations.
David Smith
Rapid7 Support