Hunting Email Forwarding Outside Organization Using Azure Sentinel
It’s a well-known technique used by advisors to exfiltrate data by forwarding email outside the compromised network.
According to Lockheed Martin Cyber Kill Chain, Exfiltration is one of the core stages that advisories use to get the data out of the compromised target. This process is range from reconnaissance (often the initial stage of a attack) to lateral movement (moving laterally across the network to gain access to more system and data) to data exfiltration.
Microsoft has implemented a number of countermeasures to detect these behaviors. Blue Teams can now use Azure Sentinel to hunt for any email forwarding that has occurred outside of the environment.
When a mailbox rule is configured to automatically forward emails to an external domain, the alert displays the time, external domain, IP address, and email address involved. However, You can also use Azure Sentinel to search for the activity that occurred.
The Office Activity table can be used as a starting point because it contains specific data about Office365 Exchange activities within the environment.
The following KQL query searches the Office Activity table for the “Set-Mailbox” cmdlet, which is available in both on-premises and cloud-based services. “Set-Mailbox” is mostly used to change mailbox settings.
This will show all changes made to mailbox settings in Exchange Server and Exchange Online.
The preceding query can be modified with an additional parameter to get accurate result. “DeliverToMailboxAndForward” parameter can be added to update the query
if the one of those results are expanded, it contains a parameter section in JSON format. it provides certain information that is useful for the hunting process.
If you expand one of those results, you’ll find a parameter section in JSON format. It provides specific information that is beneficial to the hunting process.
If the “DeliverToMailboxAndForward” option is set to Yes, the user has configured an inbox mail forwarding rule.
By running the above query, we were able to obtain a few crucial details that will allow us to continue our investigation.
Using the above information, we could create a query that would return the user principal name, username, and forwarding email address.
A new value named “ForwadingEmailAddress” was added to extract the forwarding email, saving us from having to extend the parameters section to view the forwarding email.
