General
This check verifies Transport Rules in Exchange Online that are set to modify the recipient of an email (Redirect).
Rationale
Attackers often use such rules to exfiltrate data from your Microsoft organization. This is possible when they, for example, have access to a colleague's account. Another possibility is that an internal employee uses this method to - either consciously or unconsciously - leak sensitive data.
Manual Instruction
Perform these steps to adjust the setting:
- Open the Exchange admin panel https://admin.exchange.microsoft.com
- Go to Mail Flow and Rules
- Find the rule to which the incident refers and investigate whether it is desired or undesired
- If the rule is undesired: remove it and conduct a follow-up investigation into the account of the user who created this rule to determine appropriate actions.
If the rule is desired, it can be added to an exceptions list in Attic so that it no longer triggers alarms.
CIS Mapping
- CIS Item: 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
- Profile: E3 Level 1
Comments
0 comments
Please sign in to leave a comment.