Hello Everyone,
I am trying to create an exception for the inbox forwarding rule detections. If the recipient email address is within my organization I do not want an alert. For example, if the email domain is @gmail.com it should not trigger the inbox forward alert since the email is internal.
Thank you!
Hey! same here… we are trying but we have not enought logs to parse it and make a rule based on the custom field…
I think there should be a cleaner way… @support_rapid7
If you can provide a sample obfuscated log event I could suggest an exception to the rule.
If you are trying to build a custom parsing rule @mmur_gt4e and are having difficulties I’d suggest raising a support case
Sure, here you have
{
"timestamp": "2024-02-05T09:32:31.000Z",
"source_user": "User 1111",
"service": "o365",
"action": "UpdateInboxRules",
"source_account": "account1@mydomain.com",
"source_json": {
"CreationTime": "2024-02-05T09:32:31",
"Id": "XXXXXXXXXXXXXXXXXXXXX",
"Operation": "UpdateInboxRules",
"OrganizationId": "XXXXXXXXXXXXXXXXXXXXXXXX",
"RecordType": 2,
"ResultStatus": "Succeeded",
"UserKey": "XXXXXXXXXXXXXXXX",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "11.22.33.44",
"UserId": "account1@mydomain.com",
"ClientIPAddress": "11.22.33.44",
"ClientInfoString": "Client=MSExchangeRPC",
"ClientProcessName": "OUTLOOK.EXE",
"ClientRequestId": "{XXXXXXXXXXXXXXXXXXXXXXX}",
"ClientVersion": "XXXXXXXX",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 2,
"LogonUserSid": "XXXXXXXXXXXXXXXXXXXXX",
"MailboxGuid": "XXXXXXXXXXXXX",
"MailboxOwnerMasterAccountSid": "XXXXXXXXXXXXX",
"MailboxOwnerSid": "XXXXXXXXXXXXX",
"MailboxOwnerUPN": "inbox@mydomain.com",
"OperationProperties": [
{
"Name": "RuleOperation",
"Value": "AddMailboxRule"
},
{
"Name": "RuleId",
"Value": "0"
},
{
"Name": "RuleState",
"Value": "0"
},
{
"Name": "RuleCondition",
"Value": "{(&((SubString IgnoreCase(SubjectProperty)=XXXXXXXXXXXXX)(|((SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)))))}"
},
{
"Name": "RuleName",
"Value": "RULE 1"
},
{
"Name": "RuleProvider",
"Value": "RuleOrganizer"
},
{
"Name": "RuleActions",
"Value": "[{"ActionType":"Forward","Recipients":["account2@mydomain.com"],"ForwardFlags":"None"}]"
}
],
"OrganizationName": "mydomain.onmicrosoft.com",
"OriginatingServer": "XXXXXXXXXXXXX (X.X.X.X)
\n",
"SessionId": "XXXXXXXXXXXXX",
"Item": {
"Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
"ParentFolder": {
"Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
"Name": "Bandeja de entrada",
"Path": "\Bandeja de entrada"
}
}
},
"r7_context": {
"source_user": {
"type": "user",
"rrn": "rrn:uba:XXXXXXXXXXXX",
"name": "XXXXXXXXXXXXX"
},
"source_account": {
"type": "account",
"rrn": "rrn:uba:XXXXXXXXXXXX",
"name": "account1@mydomain.com"
}
}
}Thanks @mmur_gt4e Also interested in knowing the exception rule for this
It can be a pain but I like the inbox forwarding rule detection. We had a user that was compromised and could see that her inbox rule was changed to move emails to the RSS Feeds folder so the hacker could do whatever they wanted with emails and the user didn’t receive any emails.
My $.02 worth.
Yo!
We had this issue as well and I ended up taking the LEQL for the default inbox forwarding alert and giving it to ChatGPT with the same request. Then tested it and verified it works, for us at least. We also have multiple internal domains so there are additional fields should you need them. Unfortunately R7’s implementation of LEQL doesn’t let you define a variable for internal domains which would make it a little prettier but oh well, it works.
from( event_type = "cloud_service_activity" ) where( ( source_json.Operation IIN [ "New-InboxRule", "Set-InboxRule" ] AND source_json.Parameters.Name ICONTAINS "Forward" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.Parameters.Name = NOCASE("ForwardingSmtpAddress") AND source_json.Parameters.Value ICONTAINS "smtp:" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\\\":\\\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\":\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) )
Edit: Formatting from Code Block to Preformatted Text
It would be slightly more efficient to use
source_json.Parameters.Value ICONTAINS-ANY [“@yourdomain1.com”,"@yourdomain2.com","@yourdomain4.com",“etc”]
This way you only need to write the key name once.
https://docs.rapid7.com/insightidr/components-for-building-a-query/#comparison-operators
Hey! Thank you!!
But unfortunately I cannot make it run, I attach a picture, Am I missing something?
Quotes are used to delimit the value. As your value has double quotes in it, you should surround the entire value in single quotes.
InsightIDR Seems not to understand the “source_json.Parameters.Value” as it needs the property that is actually dinamic and changes from one log to another.
Not sure but maybe the preformatted version would help?
Copy paste this instead:
from( event_type = "cloud_service_activity" ) where( ( source_json.Operation IIN [ "New-InboxRule", "Set-InboxRule" ] AND source_json.Parameters.Name ICONTAINS "Forward" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.Parameters.Name = NOCASE("ForwardingSmtpAddress") AND source_json.Parameters.Value ICONTAINS "smtp:" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\\\":\\\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\":\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) )
Edit: Yeah this should work, I pasted the original in a code block which seems to have stripped some forward slashes vs. this as preformatted text.
This Seems to Work, thank you for the effort!! I think Rapid7 should cover this by default…
Why is there so many repetition on the query? I see "source_json.OperationProperties.Value ICONTAINS “@yourdomain1.com” multiple times. Can you explain the logic here?
Hi cyberpunk, The repetition is necessary if you are in an organization that uses multiple domains and you therefore need to check if the email is being forwarded to any of the internal domains. For example the domains needing to be checked could be mycompany.com, mycompany.za, mycompany.ca etc. Forwarding to any of these would be allowed and not alerted. If you are in an organization of a single domain this is easier.
Also, to everyone else, I’ve been recently trying to do this in insightConnect and every time i think I’ve resolved it another problem comes up. Fun ones at the moment are:
There are four types of events I’ve found (so far) which are fired by forwarding rules - NewInboxRule, SetInboxRule, Set-Mailbox and UpdateInboxRules
Forwarding can be set to multiple recipients which may include an internal AND external address, which makes it even more complex.
Have been trying to achieve the same thing with ICON in our org.
There is also a completely different log format if the forwarding rule is created in Outlook application or if it is done from Outlook Online.
For the internal / external domain I sorted that by doing a SQL query to our CMDB which contains a list of all domains of our subsidiaries - if one lookup is not returning TRUE for finding the domain in the internal list then fire off additional bells to make sure someone look at it quicker than quick.
Hey Folks, I wrote up a topic on building an exception for the rule here Building an Effective Exception Rule for Attacker Technique - Inbox Forwarding Rule Created