Identifying suspicious mail rules

by bfadmin

Posted on at 05:25am

Over the past few months, we’ve seen a significant increase in the number of highly targeted phishing attacks on schools and businesses which have demonstrated a level of sophistication we’d not encountered previously.

The current modus operandi appears to be:

1. Attacker targets “high-value” person within organisation (for example business manager, principal, accounts payable, CFO, etc)
2. Attacker sends spear-phishing email to target to collect login details
3. Attacker uses credentials to log in as end user, and configures mail-forward on target’s mail account
4. Attacker watches mail flow for weeks or months, searching for high-value opportunities (typically an upcoming large payment)
5. Attacker intercepts payment requests, deleting original email from inbox
6. Attacker replaces payment request with custom crafted email (modified from original), changing payment details to reflect an account the attacker has control of
7. Profit.

As we know, effective anti-spam, anti-phishing solutions can often intercept & address point two, however sometimes these things slip through the cracks. Office 365’s advanced threat protection analytics engine is remarkably effective at identifying this. Similarly, Office 365’s/Azure Security Dashboards and analytics are great at identifying suspicious logins for a user account. Plus, those high-value accounts are all using multi-factor authentication anyway, right?

However, lets assume for a moment that you’ve yet to get that all setup, or you have your suspicions that something may already be in place and you want to check out whether this is an issue… How might you do this?

It turns out, dumping a list of mailbox rules currently in place across your organisation is incredibly simple to do. Take a look at the below Powershell script:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
$mailboxes = Get-Mailbox
$results = foreach ($mailbox in $mailboxes) {
Get-InboxRule -Mailbox $mailbox.Alias | Select Enabled,Name,Priority,From,SentTo,CopyToFolder,DeleteMessage,ForwardTo,MarkAsRead,MoveToFolder,RedirectTo,MailboxOwnerId

$results | Export-CSV -Path MyInboxRules.csv -NoTypeInformation

This script connects to Office 365, grabs a list of all of your mailboxes, and exports the mailbox rules that are in place to a CSV for you to review. Pay particular attention to the ForwardTo/RedirectTo fields for any external email addresses, or suspicious values.

There are more sophisticated ways to keep an eye on this, and in some ways this is using a hammer to crack a walnut, however it may just be worth running this against your environment and confirming you’re not currently in the midst of a targeted attack. Oh, and don’t forget to enable MFA.