Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Transport Rule Forwards Email to External Domain [RULE-1024]

This rule detects when a new email transport rule (mail flow rule) is created in Exchange Online that forwards or redirects email to an external recipient. Transport rules operate at the organizational level and affect all mailboxes in the tenant, making them a powerful tool for data exfiltration when abused.

Rationale

Transport rules can only be created by users with Exchange administrator privileges, which means this detection either indicates a compromised admin account or an intentional but potentially risky configuration change. This technique is mapped to MITRE ATT&CK as T1114.003 (Email Collection: Email Forwarding Rule) and T1020 (Automated Exfiltration).

After compromising an Exchange administrator account, an attacker can create transport rules that silently redirect or copy all organizational email to an external address. Unlike mailbox-level rules that affect only a single user, transport rules can intercept email for the entire organization. This makes them an extremely high-impact threat - a single transport rule can exfiltrate every email sent or received by every user in the organization.

Attackers use this technique to intercept sensitive communications across the entire organization, gather intelligence for BEC/CEO fraud, monitor security-related notifications (such as alert emails about suspicious activity), and collect credentials from password reset emails. Because transport rules require admin privileges, their unauthorized creation is a strong indicator of a high-privilege account compromise that demands immediate investigation.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify with the administrator who created the transport rule whether this was an intentional and authorized change. Check the rule name, which external address it redirects to, and which emails it affects. Keep in mind that transport rules apply to the entire organization.

    • If no: The transport rule was not intentionally created and is likely malicious:

      1. Immediately disable or remove the transport rule from Exchange Online.
      2. Reset the password of the administrator account that created the rule and revoke all active sessions via Microsoft Entra ID.
      3. Review the Unified Audit Log for other administrative changes made by this account. Check for additional transport rules, mailbox rules, or configuration changes.
      4. Consider engaging Attic for a full incident response investigation, as a compromised admin account may have been used for additional malicious activities.

    • If yes: The transport rule was intentionally created by an authorized administrator:

      1. Verify that creating transport rules that forward email externally is permitted under your organization's security policy.
      2. If acceptable: document the business justification and close the incident.

More information