Query Details
External Email Forwarding Rule Detection
Query
//This query detects Inbox Rules being created that are forwarding emails to an external domain
CloudAppEvents
| where ActionType in~ ("Set-Mailbox", "New-InboxRule", "Set-InboxRule", "UpdateInboxRules")
| extend ForwardingAddress = extract(@"Forward.*?([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})", 1, tostring(ActivityObjects))
| where isnotempty(ForwardingAddress)
| where not(ForwardingAddress contains "@yourdomain")
| where not(ForwardingAddress contains "@yourdomain")
| where not(ForwardingAddress contains "@yourdomain")
| where not(ForwardingAddress contains "@yourdomain")
| where not(ForwardingAddress contains "@@yourdomain")
| project Timestamp, ActionType, CountryCode, City, ISP, IPAddress, AccountDisplayName, ForwardingAddress, ActivityObjects, ReportId, AccountId Explanation
This query is designed to identify instances where inbox rules are being created to forward emails to external domains, which could be a security concern. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at events in the
CloudAppEventstable. -
Filter Actions: It filters the events to include only those related to mailbox and inbox rule actions, specifically: "Set-Mailbox", "New-InboxRule", "Set-InboxRule", and "UpdateInboxRules".
-
Extract Forwarding Address: It extracts any email addresses that appear to be forwarding addresses from the
ActivityObjectsfield. -
Exclude Internal Domains: It filters out any forwarding addresses that belong to the internal domain "@yourdomain", ensuring only external forwarding addresses are considered.
-
Select Relevant Information: Finally, it selects and displays specific details about each event, including the timestamp, action type, location details (country, city, ISP, IP address), account information, the forwarding address, and other related activity details.
Overall, this query helps in monitoring and detecting potentially unauthorized email forwarding rules that could lead to data leakage.
Details
@KillaB0nez
Released: November 10, 2024
Tables
Keywords
Operators