a new transport rule may be created by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1537
o365
elastic

Techniques

T1537

Sample rules

Microsoft 365 Exchange Transport Rule Creation

source: elastic
technicques:
- T1537

Description

Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.

Detection logic

event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success