Query Details
RULE 14 M365 Exchange Transport Rule Manipulation
Query
// Rule : M365 - Exchange Transport Rule Modified (Mail Flow Manipulation)
// Severity: High
// Tactics : DefenseEvasion, Exfiltration, Collection
// MITRE : T1114.003 (Email Forwarding Rule), T1036 (Masquerading)
// Freq : PT1H Period: PT1H
// Description: Detects creation, modification, or enabling of Exchange Online
// transport rules that forward, redirect, or modify email in transit.
// Transport rules can bypass DLP and silently exfiltrate messages.
//==========================================================================================
let LookbackPeriod = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeAdmin"
| where Operation in (
"New-TransportRule", "Set-TransportRule",
"Enable-TransportRule", "New-JournalRule",
"New-RemoteDomain", "Set-RemoteDomain",
"New-AcceptedDomain")
| extend Params = tostring(Parameters)
| extend
HasForward = Params has_any ("RedirectMessageTo", "CopyTo", "BlindCopyTo", "AddToRecipients"),
HasExternalDest = Params matches regex @"@(?!.*\.onmicrosoft\.com)[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}",
HasBypass = Params has_any ("SetHeaderName", "ExceptIfSenderDomainIs", "SenderDomainIs"),
RuleCondition = extract(@"Condition.*?:(.*?)(\s|$)", 1, Params),
DestinationAddr = extract(@"(RedirectMessageTo|CopyTo|BlindCopyTo).*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 2, Params)
| project
TimeGenerated,
UserId,
ClientIP,
Operation,
HasForward,
HasExternalDest,
HasBypass,
DestinationAddr,
RuleCondition,
Params,
AlertSeverity = case(
HasForward and HasExternalDest, "High",
HasForward, "Medium",
"Low")
Explanation
This KQL query is designed to detect suspicious activities related to the modification of Exchange Online transport rules, which can be used to manipulate email flow. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify the creation, modification, or enabling of transport rules in Exchange Online that could potentially forward, redirect, or alter emails in transit. Such actions can bypass Data Loss Prevention (DLP) measures and lead to silent exfiltration of emails.
-
Time Frame: It looks at activities that occurred within the last hour.
-
Data Source: The query examines records from the
OfficeActivitytable, specifically focusing on entries where theRecordTypeis "ExchangeAdmin". -
Operations of Interest: It filters for specific operations related to transport rules and domains, such as creating or setting transport rules (
New-TransportRule,Set-TransportRule), enabling transport rules, and managing domains. -
Parameters Extraction: The query extracts and analyzes parameters from these operations to identify:
- If any forwarding actions are present (e.g., redirecting or copying emails).
- If the destination is external (not within the organization's domain).
- If there are any bypass conditions that might allow rules to circumvent normal checks.
-
Additional Information: It extracts specific conditions and destination addresses from the parameters for further analysis.
-
Output: The query projects relevant information such as the time of the activity, user ID, client IP, operation type, and whether certain conditions (forwarding, external destination, bypass) are met.
-
Alert Severity: It assigns a severity level to each detected activity:
- "High" if there is forwarding to an external destination.
- "Medium" if there is forwarding but no external destination.
- "Low" if neither condition is met.
In summary, this query helps identify potentially malicious changes to email transport rules that could be used for data exfiltration or evasion of security measures.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators