Insecure mail forwarding rules
Associated with
Inboxes
Underlying signals
External mail forward (RS10), Common exploitable mail forward (RS11)
Reasonings
- Enabled inbox, and
- Any inbox that is enabled regardless if it’s regular, shared, or a distribution group
- Has mail forward rules, and
- Inboxes without mail forward rules will never trigger this event
- A mail forward rule that forwards emails to an external address, or
- Cork does not consider a domain as external if that domain is present in the same client’s environment
- These are primarily alias domains
- A mail forward rule’s display name is one character long, or
- Attackers may configure a mail forward rule with a single character display name in an attempt to “hide” it from user interfaces
- A mail forward rule’s display name is commonly linked to an exploit
- These rules can change and are constantly being reevaluated, but Cork generally uses Red Canary’s email threat detection guidelines
Resolutions
- If you cannot directly remove the rule, but have Exchange or O365 Exchange access you can configure the domain’s outbound spam filter policies to control external mail forwarding
- Remove the rule from the user
- If user is being offboarded, disable the inbox