Triggers
- A new Exchange transport rule has been created with a potentially risky action that may provide email collection, exfiltration, or deletion capabilities (BlindCopyTo, CopyTo, Delete).
Possible Root Causes
- An attacker has gained Exchange administrator access with the capabilities of forwarding sensitive emails prior to their arrival in a user’s inbox to an attacker controlled email address (internal or external).
- An attacker may be preparing to delete important emails prior to their arrival in a user’s inbox to prevent important alerts or notifications from occurring.
- A legitimate transport rule was added to support business requirements or prevent dangerous emails from reaching user inboxes.
Business Impact
- Because email services are critical to so many enterprise activities, attackers prioritize access both as a means of progressing an attack as well as a mechanism for data exfiltration.
- Forwarded emails may expose sensitive data.
- Deleted emails may mask security alerts or important emails alerting an organization to a breach.
- The combination of forwarded and deleted emails may allow an external party to impersonate internal users to further their goals.
Steps to Verify
- Validate the new transport rule serves a business purpose, does not create a risk of data exposure, and has been implemented according to proper change control processes.