Detect hidden inbox forward rule in On-Premise Exchange
Today, we are going to discuss detecting hidden inbox forward rule in On-Premise Exchange.
In many exchange email account compromise case investigations, attacker tends to add an inbox rule and forward victims’ emails to an email account under the attacker’s control. In order to make the victim(s) even harder to detect the forward rules, attackers use some more advanced techniques to hide the forward rules.
There are different research articles discussing the hidden inbox forward rule on O365 including Compass Security, Matthew Green, and GCITS. That’s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.
Red Team’s perspective
In this section, we are going to simulate the action performed by an attacker.
Lab Environment: Windows 2016 and Exchange 2016 with the latest patches installed.
MFCMAPI Editor is used in our lab. It is available here. In this experiment, we use the version MFCMAPI.x64.exe.20.0.20110.01.
To use MFCMAPI Editor, it is better to use it on a computer already with Microsoft Outlook and a user profile already configured. It makes things easier. Just click “Session”, then “Logon”.
After logon, right-click and then “Open store”.
Expand Mailbox, IPM_SUBTREE, and finally Inbox.
Right-click Inbox and then select “Open associated contents table”.
The top window does not clearly indicate which rule is the “Evil rule” we are looking for. We need to navigate one by one. The PR_RULE_MSG_NAME_W value in the bottom window will suggest us the name of the “Evil forwarding rule”.
Clear the value “PR_RULE_MSG_NAME_W” and “PR_RULE_MSG_PROVIDER_W” value, and “Save Changes”.
When back to the OWA interface and Outlook interface, the evil forwarding rules are now hidden but still work. You may need to refresh the interface several times to see the new results. Now, attackers are watching your mailbox and hiding their existence.
Detection of hidden forward rule
So, how can we detect the hidden rules during the incident response? We have modified a PowerShell script based on GCITS, which also includes “-IncludeHidden” parameters, “RedirectTo” conditions. This PowerShell script is also available on our GitHub here.
param ([String] $csv_file, $csv_path)
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
$LogTime = Get-Date -Format "MM-dd-yyyy_hh-mm-ss"
$domains = Get-AcceptedDomain
$mailboxes = Get-Mailbox -ResultSize Unlimited | Select-Object -Property SamAccountName, UserPrincipalName, PrimarySmtpAddress
foreach ($mailbox in $mailboxes) {
$forwardingRules = $null
#Write-Host "Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)" -foregroundColor Green
$rules = get-inboxrule -Mailbox $mailbox.UserPrincipalName -IncludeHidden
$forwardingRules = $rules | Where-Object { $_.RedirectTo -or $_.ForwardTo -or $_.ForwardAsAttachmentTo }
foreach ($rule in $forwardingRules) {
$recipients = @()
if ($rule.ForwardTo) {
$recipients += $rule.ForwardTo | Where-Object { $_ -match "SMTP" }
}
if ($rule.ForwardAsAttachmentTo) {
$recipients += $rule.ForwardAsAttachmentTo | Where-Object { $_ -match "SMTP" }
}
if ($rule.RedirectTo) {
$recipients += $rule.RedirectTo | Where-Object { $_ -match "SMTP" }
}
$externalRecipients = @()
foreach ($recipient in $recipients) {
$email = ($recipient -split "SMTP:")[1].Trim("]")
$domain = ($email -split "@")[1]
if ($domains.DomainName -notcontains $domain) {
$externalRecipients += $email
}
}
if ($externalRecipients) {
$extRecString = $externalRecipients -join "; "
Write-Host "User: $($mailbox.SamAccountName) Rule: $($rule.Name) forwards to $extRecString" -ForegroundColor Yellow
$ruleHash = $null
$ruleHash = [ordered]@{
SamAccountName = $mailbox.SamAccountName
UserPrincipalName = $mailbox.UserPrincipalName
PrimarySmtpAddress = $mailbox.PrimarySmtpAddress
RuleId = $rule.Identity
RuleEnabled = $rule.Enabled
RuleName = $rule.Name
ExternalRecipients = $extRecString
RedirectTo = $rule.RedirectTo -join ';'
ForwardTo = $rule.ForwardTo -join ';'
ForwardAsAttachmentTo = $rule.ForwardAsAttachmentTo -join ';'
RuleDescription = $rule.Description
}
$ruleObject = New-Object PSObject -Property $ruleHash
if ($csv_file) {
if (!$csv_path) {
Set-Variable -Name "csv_path" -Value "$SplunkHome\var\log\TA_ExchangeForwardingRules_for_splunk"
}
If (!(test-path $csv_path)) {
New-Item -ItemType Directory -Force -Path $csv_path
}
$ruleObject | Export-CSV $csv_path\$csv_file"_"$LogTime.csv -NoTypeInformation -Append
}
else {
$ruleObject
# $ruleObject | Format-Table -Wrap -Property SamAccountName,UserPrincipalName,PrimarySmtpAddress,RuleId,RuleEnabled,RuleName,ExternalRecipients,RedirectTo,ForwardTo,ForwardAsAttachmentTo,RuleDescription
}
}
}
}As you can see below, the rule name changed to rule ID, and the IncludeHidden parameter successfully showed the hidden rules.
In addition, this PowerShell script also exports a CSV under the path given by $csv_path\$csv_file arguments which can give you more context of the forwarding rule.
Containment
We should reset the user password in case the user account compromise is confirmed.
Eradication/Remediation
As other posts suggested, run “outlook /cleanrules” which will clean up ALL user rules. You will clean up all rules by user and attacker.
So, can I delete the inbox forwarding rules using MFCMAPI Editor? While I do not suggest it. In our lab environment, it does suggest only inbox rules has the attribute “PR_RULE_MSG_NAME_W” and “PR_RULE_MSG_PROVIDER_W”, and we can locate and delete the entry which makes the inbox rule entry disappears. However, we still do not clear about the impact of this delete action.
Recovery & Lessons Learned
- Discussed with business owner and other stack holders to disable external email forwarding. Refer to Prevent Users from Forwarding Mail to Internet Addresses
- Implement 2FA
- Monitoring forward rules using Schedule jobs or SIEM.
Use Splunk to monitor hidden forward rule
We have included some configuration file samples included below
inputs.conf
[monitor://C:\Splunk\MSExchange_ForwardRule_*.csv]
disabled = 0
crcSalt = <SOURCE>
sourcetype = msexchange:mailforward:csv
index=mailprops.conf
[msexchange:mailforward:csv]
# Splunk magic 8 props
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
# TIME_PREFIX = ^
# MAX_TIMESTAMP_LOOKAHEAD = 28
# TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q %Z
# TRUNCATE = 700
# For_Load_Balancing_On_UF
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=true
CHARSET=UTF-8
KV_MODE=none
category=Mail
description=Comma-separated value format. Set header and other settings in "Delimited Settings"
pulldown_type=true
FIELD_NAMES=SamAccountName,UserPrincipalName,PrimarySmtpAddress,RuleId,RuleEnabled,RuleName,ExternalRecipients,RedirectTo,ForwardTo,ForwardAsAttachmentTo,RuleDescription
REPORT-auto_kv_for_msexchange_mailforward = auto_kv_for_msexchange_mailforward
EVAL-ForwardTo=replace(ForwardTo, "\"\"", "\"")
EVAL-RedirectTo=replace(RedirectTo, "\"\"", "\"")transforms.conf
[auto_kv_for_msexchange_mailforward]
DELIMS = ","
FIELDS = "SamAccountName","UserPrincipalName","PrimarySmtpAddress","RuleId","RuleEnabled","RuleName","ExternalRecipients","RedirectTo","ForwardTo","ForwardAsAttachmentTo","RuleDescription"
Sample Correlation Rule:
index=mail sourcetype=msexchange:mailforward:csv NOT RuleEnabled="RuleEnabled" NOT [ | inputlookup msexchange_mailforward_exclusion.csv ] | table SamAccountName,UserPrincipalName,PrimarySmtpAddress,RuleId,RuleEnabled,RuleName,ExternalRecipients,RedirectTo,ForwardTo,ForwardAsAttachmentTo,RuleDescription | eval user=SamAccountNameIf any of users had a valid business reason to forward to an external domain including a business partner, add the exception in msexchange_mailforward_exclusion.csv.
