Inbox Forwarding Rule Exception

Hello Everyone,
I am trying to create an exception for the inbox forwarding rule detections. If the recipient email address is within my organization I do not want an alert. For example, if the email domain is @gmail.com it should not trigger the inbox forward alert since the email is internal.

Thank you!

1 Like

Hey! same here… we are trying but we have not enought logs to parse it and make a rule based on the custom field…
I think there should be a cleaner way… @support_rapid7

If you can provide a sample obfuscated log event I could suggest an exception to the rule.

If you are trying to build a custom parsing rule @mmur_gt4e and are having difficulties I’d suggest raising a support case

Sure, here you have

{
  "timestamp": "2024-02-05T09:32:31.000Z",
  "source_user": "User 1111",
  "service": "o365",
  "action": "UpdateInboxRules",
  "source_account": "account1@mydomain.com",
  "source_json": {
    "CreationTime": "2024-02-05T09:32:31",
    "Id": "XXXXXXXXXXXXXXXXXXXXX",
    "Operation": "UpdateInboxRules",
    "OrganizationId": "XXXXXXXXXXXXXXXXXXXXXXXX",
    "RecordType": 2,
    "ResultStatus": "Succeeded",
    "UserKey": "XXXXXXXXXXXXXXXX",
    "UserType": 0,
    "Version": 1,
    "Workload": "Exchange",
    "ClientIP": "11.22.33.44",
    "UserId": "account1@mydomain.com",
    "ClientIPAddress": "11.22.33.44",
    "ClientInfoString": "Client=MSExchangeRPC",
    "ClientProcessName": "OUTLOOK.EXE",
    "ClientRequestId": "{XXXXXXXXXXXXXXXXXXXXXXX}",
    "ClientVersion": "XXXXXXXX",
    "ExternalAccess": false,
    "InternalLogonType": 0,
    "LogonType": 2,
    "LogonUserSid": "XXXXXXXXXXXXXXXXXXXXX",
    "MailboxGuid": "XXXXXXXXXXXXX",
    "MailboxOwnerMasterAccountSid": "XXXXXXXXXXXXX",
    "MailboxOwnerSid": "XXXXXXXXXXXXX",
    "MailboxOwnerUPN": "inbox@mydomain.com",
    "OperationProperties": [
      {
        "Name": "RuleOperation",
        "Value": "AddMailboxRule"
      },
      {
        "Name": "RuleId",
        "Value": "0"
      },
      {
        "Name": "RuleState",
        "Value": "0"
      },
      {
        "Name": "RuleCondition",
        "Value": "{(&((SubString IgnoreCase(SubjectProperty)=XXXXXXXXXXXXX)(|((SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)))))}"
      },
      {
        "Name": "RuleName",
        "Value": "RULE 1"
      },
      {
        "Name": "RuleProvider",
        "Value": "RuleOrganizer"
      },
      {
        "Name": "RuleActions",
        "Value": "[{"ActionType":"Forward","Recipients":["account2@mydomain.com"],"ForwardFlags":"None"}]"
      }
    ], 
    "OrganizationName": "mydomain.onmicrosoft.com",
    "OriginatingServer": "XXXXXXXXXXXXX (X.X.X.X)
\n",
    "SessionId": "XXXXXXXXXXXXX",
    "Item": {
      "Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
      "ParentFolder": {
        "Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
        "Name": "Bandeja de entrada",
        "Path": "\Bandeja de entrada"
      }
    }
  },
  "r7_context": {
    "source_user": {
      "type": "user",
      "rrn": "rrn:uba:XXXXXXXXXXXX",
      "name": "XXXXXXXXXXXXX"
    },
    "source_account": {
      "type": "account",
      "rrn": "rrn:uba:XXXXXXXXXXXX",
      "name": "account1@mydomain.com"
    }
  }
}
1 Like

Thanks @mmur_gt4e Also interested in knowing the exception rule for this

It can be a pain but I like the inbox forwarding rule detection. We had a user that was compromised and could see that her inbox rule was changed to move emails to the RSS Feeds folder so the hacker could do whatever they wanted with emails and the user didn’t receive any emails.

My $.02 worth.

Yo!
We had this issue as well and I ended up taking the LEQL for the default inbox forwarding alert and giving it to ChatGPT with the same request. Then tested it and verified it works, for us at least. We also have multiple internal domains so there are additional fields should you need them. Unfortunately R7’s implementation of LEQL doesn’t let you define a variable for internal domains which would make it a little prettier but oh well, it works.
from( event_type = "cloud_service_activity" ) where( ( source_json.Operation IIN [ "New-InboxRule", "Set-InboxRule" ] AND source_json.Parameters.Name ICONTAINS "Forward" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.Parameters.Name = NOCASE("ForwardingSmtpAddress") AND source_json.Parameters.Value ICONTAINS "smtp:" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\\\":\\\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\":\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) )

Edit: Formatting from Code Block to Preformatted Text

It would be slightly more efficient to use

source_json.Parameters.Value ICONTAINS-ANY [“@yourdomain1.com,"@yourdomain2.com","@yourdomain4.com",“etc”]

This way you only need to write the key name once.

https://docs.rapid7.com/insightidr/components-for-building-a-query/#comparison-operators
Screenshot 2024-04-18 at 6.34.16 PM

1 Like

Hey! Thank you!!
But unfortunately I cannot make it run, I attach a picture, Am I missing something?
error_custom

Quotes are used to delimit the value. As your value has double quotes in it, you should surround the entire value in single quotes.

InsightIDR Seems not to understand the “source_json.Parameters.Value” as it needs the property that is actually dinamic and changes from one log to another.

Not sure but maybe the preformatted version would help?
Copy paste this instead:
from( event_type = "cloud_service_activity" ) where( ( source_json.Operation IIN [ "New-InboxRule", "Set-InboxRule" ] AND source_json.Parameters.Name ICONTAINS "Forward" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.Parameters.Name = NOCASE("ForwardingSmtpAddress") AND source_json.Parameters.Value ICONTAINS "smtp:" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\\\":\\\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\":\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) )

Edit: Yeah this should work, I pasted the original in a code block which seems to have stripped some forward slashes vs. this as preformatted text.

This Seems to Work, thank you for the effort!! I think Rapid7 should cover this by default…

1 Like

Why is there so many repetition on the query? I see "source_json.OperationProperties.Value ICONTAINS “@yourdomain1.com” multiple times. Can you explain the logic here?

Hi cyberpunk, The repetition is necessary if you are in an organization that uses multiple domains and you therefore need to check if the email is being forwarded to any of the internal domains. For example the domains needing to be checked could be mycompany.com, mycompany.za, mycompany.ca etc. Forwarding to any of these would be allowed and not alerted. If you are in an organization of a single domain this is easier.

Also, to everyone else, I’ve been recently trying to do this in insightConnect and every time i think I’ve resolved it another problem comes up. Fun ones at the moment are:

  • There are four types of events I’ve found (so far) which are fired by forwarding rules - NewInboxRule, SetInboxRule, Set-Mailbox and UpdateInboxRules

  • Forwarding can be set to multiple recipients which may include an internal AND external address, which makes it even more complex.