Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Transport Rule with Suspicious Keywords [RULE-1026]

This rule detects when a new email transport rule (mail flow rule) is created in Exchange Online that filters email based on suspicious search terms. Attackers with administrative access can create transport rules that intercept, redirect, delete, or manipulate emails matching specific keywords, enabling them to control information flow across the entire organization.

Rationale

Transport rules with keyword-based filtering are a sophisticated technique used by attackers after compromising an Exchange administrator account. This technique is mapped to MITRE ATT&CK as T1114 (Email Collection) and T1564.008 (Hide Artifacts: Email Hiding Rules).

After gaining administrative access, an attacker can create transport rules that search for specific terms in the subject or body of emails and then take actions such as deleting, redirecting, or silently copying those messages. For example, an attacker could create a rule that intercepts all emails containing words like "security alert", "suspicious activity", or "password reset" and deletes or redirects them. This effectively blinds the organization's security monitoring by preventing warning emails from reaching administrators.

Another common abuse scenario involves intercepting financial communications. An attacker might create a transport rule that copies all emails containing terms like "invoice", "wire transfer", or "bank account" to an external address, enabling them to gather intelligence for BEC/CEO fraud attacks. Because transport rules operate at the organizational level, a single rule can affect every user's email, making this a high-impact threat. The fact that transport rules require administrator privileges means that their unauthorized creation indicates a serious compromise of a privileged account.

Follow-up

Follow these steps to adequately address this detection:

  1. Review the transport rule that was created, focusing on which keywords it searches for and what actions it performs (delete, redirect, copy, quarantine). Verify with the administrator who created the rule whether this was an authorized change. Keep in mind that transport rules apply to the entire organization.

    • If no: The transport rule was not intentionally created and is likely malicious:

      1. Immediately disable or remove the suspicious transport rule from Exchange Online.
      2. Reset the password of the administrator account that created the rule and revoke all active sessions via Microsoft Entra ID.
      3. Review the Unified Audit Log for other administrative changes made by this account. Check if other transport rules or configuration changes were made.
      4. Consider engaging Attic for a full incident response investigation, as a compromised admin account with the ability to create transport rules represents a serious security breach.

    • If yes: The transport rule was intentionally created by an authorized administrator:

      1. Verify that the rule's keyword filtering and actions are appropriate and do not pose a security risk.
      2. If acceptable: document the business justification and close the incident.

More information