{"id":145,"date":"2020-07-08T11:07:19","date_gmt":"2020-07-08T11:07:19","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=145"},"modified":"2024-04-01T13:51:20","modified_gmt":"2024-04-01T05:51:20","slug":"detect-hidden-inbox-forward-rule-in-on-premise-exchange","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/","title":{"rendered":"Detect hidden inbox forward rule in On-Premise Exchange"},"content":{"rendered":"<p>Today, we are going to discuss detecting hidden inbox forward rule in On-Premise Exchange. <\/p>\n\n\n\n<p>In many exchange email account compromise case investigations, attacker tends to add an inbox rule and forward victims&#8217; emails to an email account under the attacker&#8217;s control. In order to make the victim(s) even harder to detect the forward rules, attackers use some more advanced techniques to hide the forward rules.<\/p>\n\n\n\n<p>There are different research articles discussing the hidden inbox forward rule on O365 including&nbsp;<a href=\"https:\/\/blog.compass-security.com\/2018\/09\/hidden-inbox-rules-in-microsoft-exchange\/\">Compass Security<\/a>,&nbsp;<a href=\"https:\/\/mgreen27.github.io\/posts\/2019\/06\/09\/O365HiddenRules.html\">Matthew Green<\/a>,&nbsp;and&nbsp;<a href=\"https:\/\/gcits.com\/knowledge-base\/find-inbox-rules-forward-mail-externally-office-365-powershell\/\">GCITS<\/a>. That&#8217;s why we will discuss&nbsp;it for On-Premise Exchange such as Exchange 2013, 2016 &amp; 2019.<\/p>\n\n\n<style>.kadence-column145_f318e1-f2 > .kt-inside-inner-col{display:flex;}.kadence-column145_f318e1-f2 > .kt-inside-inner-col,.kadence-column145_f318e1-f2 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column145_f318e1-f2 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column145_f318e1-f2 > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column145_f318e1-f2 > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column145_f318e1-f2 > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column145_f318e1-f2 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column145_f318e1-f2 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column145_f318e1-f2{position:relative;}@media all and (max-width: 1024px){.kadence-column145_f318e1-f2 > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column145_f318e1-f2 > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column145_f318e1-f2\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-table-of-contents-title{font-size:var(--global-kb-font-size-lg, 2rem);font-weight:bold;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-table-of-content-wrap .kb-table-of-content-list{color:#d65a02;font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id145_180fcb-c2 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-red-team-s-perspective\"><strong>Red Team&#8217;s perspective<\/strong><\/h2>\n\n\n\n<p>In this section, we are going to simulate the action performed by an attacker. <\/p>\n\n\n\n<p><strong>Lab Environment<\/strong>: Windows 2016 and Exchange 2016 with the latest patches installed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"345\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/visible-inbox-forwarding-rules-in-on-premise-exchange.png\" alt=\"Visible inbox forwarding rules in On-Premise Exchange\" class=\"wp-image-200\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/visible-inbox-forwarding-rules-in-on-premise-exchange.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/visible-inbox-forwarding-rules-in-on-premise-exchange-300x101.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/visible-inbox-forwarding-rules-in-on-premise-exchange-768x259.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/visible-inbox-forwarding-rules-in-on-premise-exchange-600x202.png 600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">After compromising a user account, the attacker adds an evil forwarding rule.<\/figcaption><\/figure>\n\n\n\n<p>MFCMAPI Editor is used in our lab. It is available&nbsp;<a href=\"https:\/\/github.com\/stephenegriffin\/mfcmapi\/releases\">\u7db2\u5740<\/a>.&nbsp;In this experiment, we use the version MFCMAPI.x64.exe.20.0.20110.01.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"446\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-welcome-screen.png\" alt=\"MFCMAPI welcome screen\" class=\"wp-image-201\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-welcome-screen.png 602w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-welcome-screen-300x222.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-welcome-screen-600x445.png 600w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><figcaption class=\"wp-element-caption\">MFCMAPI Welcome Screen<\/figcaption><\/figure>\n\n\n\n<p>To use MFCMAPI Editor, it is better to use it on a computer already with Microsoft Outlook and a user profile already configured. It makes things easier. Just click &#8220;Session&#8221;, then &#8220;Logon&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"442\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-session-logon.png\" alt=\"MFCMAPI session logon screen\" class=\"wp-image-203\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-session-logon.png 602w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-session-logon-300x220.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-session-logon-600x441.png 600w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"443\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-choose-outlook-profile.png\" alt=\"MFCMAPI choose outlook profile screen\" class=\"wp-image-204\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-choose-outlook-profile.png 602w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-choose-outlook-profile-300x221.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-choose-outlook-profile-600x442.png 600w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><figcaption class=\"wp-element-caption\">Choose the correct &#8220;Outlook&#8221; profile in MFCMAPI<\/figcaption><\/figure>\n\n\n\n<p>After logon, right-click and then &#8220;Open store&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"727\" height=\"516\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-open-store.png\" alt=\"MFCMAPI open store screen\" class=\"wp-image-205\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-open-store.png 727w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-open-store-300x213.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-open-store-340x240.png 340w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-open-store-600x426.png 600w\" sizes=\"auto, (max-width: 727px) 100vw, 727px\" \/><\/figure>\n\n\n\n<p>Expand Mailbox, IPM_SUBTREE, and finally Inbox.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"910\" height=\"558\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-IPM_SUBTREE-Inbox.png\" alt=\"MFCMAPI IPM_SUBTREE Inbox\" class=\"wp-image-207\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-IPM_SUBTREE-Inbox.png 910w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-IPM_SUBTREE-Inbox-300x184.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-IPM_SUBTREE-Inbox-768x471.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-IPM_SUBTREE-Inbox-600x368.png 600w\" sizes=\"auto, (max-width: 910px) 100vw, 910px\" \/><\/figure>\n\n\n\n<p>Right-click Inbox and then select &#8220;Open associated contents table&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"908\" height=\"559\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-Open-associated-contents-table.png\" alt=\"MFCMAPI Open associated contents table\" class=\"wp-image-209\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-Open-associated-contents-table.png 908w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-Open-associated-contents-table-300x185.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-Open-associated-contents-table-768x473.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-Open-associated-contents-table-600x369.png 600w\" sizes=\"auto, (max-width: 908px) 100vw, 908px\" \/><\/figure>\n\n\n\n<p>The top window does not clearly indicate which rule is the &#8220;Evil rule&#8221; we are looking for. We need to navigate one by one. The PR_RULE_MSG_NAME_W value in the bottom window will suggest us the name of the &#8220;Evil forwarding rule&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"622\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules.png\" alt=\"MFCMAPI show evil forwarding rules\" class=\"wp-image-210\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules.png 940w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-300x199.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-768x508.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-600x397.png 600w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/figure>\n\n\n\n<p>Clear the value &#8220;PR_RULE_MSG_NAME_W&#8221; and &#8220;PR_RULE_MSG_PROVIDER_W&#8221; value, and &#8220;Save Changes&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"591\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-save-changes.png\" alt=\"MFCMAPI evil-forwarding rules save changes\" class=\"wp-image-211\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-save-changes.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-save-changes-300x173.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-save-changes-768x443.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/MFCMAPI-evil-forwarding-rules-save-changes-600x346.png 600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>When back to the OWA interface and Outlook interface, the evil forwarding rules are now hidden but still work. You may need to refresh the interface several times to see the new results. Now, attackers are watching your mailbox and hiding their existence.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"331\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_owa.png\" alt=\"hidden inbox forwarding rules in On-Premise Exchange in OWA\" class=\"wp-image-212\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_owa.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_owa-300x97.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_owa-768x248.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_owa-600x194.png 600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"480\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_outlook.png\" alt=\"hidden inbox forwarding rules in On-Premise Exchange in Outlook\" class=\"wp-image-213\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_outlook.png 576w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/hidden-inbox-forwarding-rules-in-on-premise-exchange_outlook-300x250.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-detection-of-hidden-forward-rule\"><strong>Detection<\/strong> <strong>of hidden forward rule<\/strong><\/h2>\n\n\n\n<p>So, how can we detect the hidden rules during the incident response?&nbsp; We have modified a PowerShell script based on&nbsp;GCITS, which also includes &#8220;-IncludeHidden&#8221; parameters, &#8220;RedirectTo&#8221; conditions. This PowerShell script is also available on our GitHub <a href=\"https:\/\/github.com\/cybersecthreat\/DFIR\/blob\/master\/on_premises_exchange_mailbox_forward_rules.ps1\">\u7db2\u5740<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>param (&#91;String] $csv_file, $csv_path)\n\nAdd-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;\n\n$LogTime = Get-Date -Format \"MM-dd-yyyy_hh-mm-ss\"\n\n$domains = Get-AcceptedDomain\n$mailboxes = Get-Mailbox -ResultSize Unlimited | Select-Object -Property SamAccountName, UserPrincipalName, PrimarySmtpAddress\n \nforeach ($mailbox in $mailboxes) {\n \n    $forwardingRules = $null\n    #Write-Host \"Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)\" -foregroundColor Green\n    $rules = get-inboxrule -Mailbox $mailbox.UserPrincipalName -IncludeHidden\n     \n    $forwardingRules = $rules | Where-Object { $_.RedirectTo -or $_.ForwardTo -or $_.ForwardAsAttachmentTo }\n \n    foreach ($rule in $forwardingRules) {\n        $recipients = @()\n        if ($rule.ForwardTo) {\n            $recipients += $rule.ForwardTo | Where-Object { $_ -match \"SMTP\" }\n        }\n        if ($rule.ForwardAsAttachmentTo) {\n            $recipients += $rule.ForwardAsAttachmentTo | Where-Object { $_ -match \"SMTP\" }\n        }\n        if ($rule.RedirectTo) {            \n            $recipients += $rule.RedirectTo | Where-Object { $_ -match \"SMTP\" }\n        }\n     \n        $externalRecipients = @()\n \n        foreach ($recipient in $recipients) {\n            $email = ($recipient -split \"SMTP:\")&#91;1].Trim(\"]\")\n            $domain = ($email -split \"@\")&#91;1]\n    \n            if ($domains.DomainName -notcontains $domain) {\n                $externalRecipients += $email\n            }\n        }\n \n        if ($externalRecipients) {\n            $extRecString = $externalRecipients -join \"; \"\n            Write-Host \"User: $($mailbox.SamAccountName) Rule: $($rule.Name) forwards to $extRecString\" -ForegroundColor Yellow\n \n            $ruleHash = $null\n            $ruleHash = &#91;ordered]@{\n                SamAccountName        = $mailbox.SamAccountName\n                UserPrincipalName     = $mailbox.UserPrincipalName\n                PrimarySmtpAddress    = $mailbox.PrimarySmtpAddress\n                RuleId                = $rule.Identity\n                RuleEnabled           = $rule.Enabled\n                RuleName              = $rule.Name\n                ExternalRecipients    = $extRecString\n                RedirectTo            = $rule.RedirectTo -join ';'\n                ForwardTo             = $rule.ForwardTo -join ';'\n                ForwardAsAttachmentTo = $rule.ForwardAsAttachmentTo -join ';'\n                RuleDescription       = $rule.Description\n            }\n            $ruleObject = New-Object PSObject -Property $ruleHash\n            if ($csv_file) {\n                if (!$csv_path) {\n                    Set-Variable -Name \"csv_path\" -Value \"$SplunkHome\\var\\log\\TA_ExchangeForwardingRules_for_splunk\"\n                }\n                If (!(test-path $csv_path)) {\n                    New-Item -ItemType Directory -Force -Path $csv_path\n                }\n                $ruleObject | Export-CSV $csv_path\\$csv_file\"_\"$LogTime.csv -NoTypeInformation -Append\n            }\n            else {\n                $ruleObject\n                # $ruleObject | Format-Table -Wrap -Property SamAccountName,UserPrincipalName,PrimarySmtpAddress,RuleId,RuleEnabled,RuleName,ExternalRecipients,RedirectTo,ForwardTo,ForwardAsAttachmentTo,RuleDescription\n            }\n        }\n    }\n}<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p>As you can see below, the rule name changed to rule ID, and the IncludeHidden parameter successfully showed the hidden rules.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"620\" height=\"60\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png\" alt=\"forward rules powershell IncludeHidden\" class=\"wp-image-214\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png 620w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden-300x29.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden-600x58.png 600w\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" \/><\/figure>\n\n\n\n<p>In addition, this PowerShell script also exports a CSV under the path given by  $csv_path\\$csv_file arguments which can give you more context of the forwarding rule.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-containment\"><strong>Containment<\/strong><\/h2>\n\n\n\n<p>We should reset the user password in case the user account compromise is confirmed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-eradication-remediation\"><strong>Eradication\/Remediation<\/strong><\/h2>\n\n\n\n<p>As other posts suggested, run &#8220;outlook \/cleanrules&#8221; which will clean up ALL user rules.&nbsp;You will clean up all rules by user and attacker. <br>So, can I delete the inbox forwarding rules using MFCMAPI Editor? While I do not suggest it. In our lab environment, it does suggest only inbox rules has the attribute &#8220;PR_RULE_MSG_NAME_W&#8221; and &#8220;PR_RULE_MSG_PROVIDER_W&#8221;, and we can locate and delete the entry which makes the inbox rule entry disappears. However, we still do not clear about the impact of this delete action.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-recovery-amp-lessons-learned\"><strong>Recovery &amp; Lessons Learned<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Discussed with business owner and other stack holders to disable external email forwarding. Refer to&nbsp;<a href=\"https:\/\/www.slipstick.com\/exchange\/prevent-users-from-forwarding-mail-to-internet-addresses\/\">Prevent Users from Forwarding Mail to Internet Addresses<\/a><\/li>\n\n\n\n<li>Implement 2FA<\/li>\n\n\n\n<li>Monitoring forward rules using Schedule jobs or SIEM.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-use-splunk-to-monitor-hidden-forward-rule\"><strong>Use Splunk to monitor hidden<\/strong> <strong>forward rule<\/strong><\/h2>\n\n\n\n<p>We have included some configuration file samples included below  <\/p>\n\n\n\n<p>inputs.conf<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;monitor:\/\/C:\\Splunk\\MSExchange_ForwardRule_*.csv]\ndisabled = 0\ncrcSalt = &lt;SOURCE&gt;\nsourcetype = msexchange:mailforward:csv\nindex=mail<\/code><\/pre>\n\n\n\n<p>props.conf<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;msexchange:mailforward:csv]\n# Splunk magic 8 props\nSHOULD_LINEMERGE = false\nLINE_BREAKER = (&#91;\\r\\n]+)\n# TIME_PREFIX = ^\n# MAX_TIMESTAMP_LOOKAHEAD = 28\n# TIME_FORMAT=%Y-%m-%d %H:%M:%S.%Q %Z\n# TRUNCATE = 700\n# For_Load_Balancing_On_UF\nEVENT_BREAKER_ENABLE = true\nEVENT_BREAKER = (&#91;\\r\\n]+)\nDATETIME_CONFIG=CURRENT\nNO_BINARY_CHECK=true\nCHARSET=UTF-8\nKV_MODE=none\ncategory=Mail\ndescription=Comma-separated value format. Set header and other settings in \"Delimited Settings\"\npulldown_type=true\nFIELD_NAMES=SamAccountName,UserPrincipalName,PrimarySmtpAddress,RuleId,RuleEnabled,RuleName,ExternalRecipients,RedirectTo,ForwardTo,ForwardAsAttachmentTo,RuleDescription\nREPORT-auto_kv_for_msexchange_mailforward = auto_kv_for_msexchange_mailforward\nEVAL-ForwardTo=replace(ForwardTo, \"\\\"\\\"\", \"\\\"\")\nEVAL-RedirectTo=replace(RedirectTo, \"\\\"\\\"\", \"\\\"\")<\/code><\/pre>\n\n\n\n<p>transforms.conf<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;auto_kv_for_msexchange_mailforward]\nDELIMS = \",\"\nFIELDS = \"SamAccountName\",\"UserPrincipalName\",\"PrimarySmtpAddress\",\"RuleId\",\"RuleEnabled\",\"RuleName\",\"ExternalRecipients\",\"RedirectTo\",\"ForwardTo\",\"ForwardAsAttachmentTo\",\"RuleDescription\"\n<\/code><\/pre>\n\n\n\n<p>Sample Correlation Rule:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=mail sourcetype=msexchange:mailforward:csv NOT RuleEnabled=\"RuleEnabled\" NOT &#91; | inputlookup msexchange_mailforward_exclusion.csv ] | table SamAccountName,UserPrincipalName,PrimarySmtpAddress,RuleId,RuleEnabled,RuleName,ExternalRecipients,RedirectTo,ForwardTo,ForwardAsAttachmentTo,RuleDescription | eval user=SamAccountName<\/code><\/pre>\n\n\n\n<p>If any of users had a valid business reason to forward to an external domain including a business partner, add the exception in&nbsp;msexchange_mailforward_exclusion.csv.<\/p>","protected":false},"excerpt":{"rendered":"<p>In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims&#8217;s email to an email account under attacker&#8217;s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules.<br \/>\nThere are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That&#8217;s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 &#038; 2019.<\/p>","protected":false},"author":2,"featured_media":214,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[42,43,28,40,23,45],"tags":[21,38,19,29,17,20,30],"class_list":["post-145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blue-team","category-incident-response","category-powershell","category-red-team","category-splunk","category-threat-hunting","tag-blue-team","tag-exchange","tag-incident-response","tag-powershell","tag-red-team","tag-splunk","tag-threat-hunting"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Detect hidden inbox forward rule in On-Premise Exchange - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"discuss detect hidden inbox forward rule in On-Premise Exchange... discuss On-Premise Microsoft Exchange such as Exchange 2013, 2016 &amp; 2019.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detect hidden inbox forward rule in On-Premise Exchange\" \/>\n<meta property=\"og:description\" content=\"In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims&#039;s email to an email account under attacker&#039;s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules. There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That&#039;s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 &amp; 2019.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-08T11:07:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:51:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png\" \/>\n\t<meta property=\"og:image:width\" content=\"620\" \/>\n\t<meta property=\"og:image:height\" content=\"60\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"Detect hidden inbox forward rule in On-Premise Exchange\",\"datePublished\":\"2020-07-08T11:07:19+00:00\",\"dateModified\":\"2024-04-01T05:51:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/\"},\"wordCount\":647,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/forwardrules_powershell_IncludeHidden.png\",\"keywords\":[\"Blue Team\",\"Exchange\",\"Incident Response\",\"PowerShell\",\"Red Team\",\"Splunk\",\"Threat Hunting\"],\"articleSection\":[\"Blue Team\",\"Incident Response\",\"PowerShell\",\"Red Team\",\"Splunk\",\"Threat Hunting\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/\",\"name\":\"Detect hidden inbox forward rule in On-Premise Exchange - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/forwardrules_powershell_IncludeHidden.png\",\"datePublished\":\"2020-07-08T11:07:19+00:00\",\"dateModified\":\"2024-04-01T05:51:20+00:00\",\"description\":\"discuss detect hidden inbox forward rule in On-Premise Exchange... discuss On-Premise Microsoft Exchange such as Exchange 2013, 2016 & 2019.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/forwardrules_powershell_IncludeHidden.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/forwardrules_powershell_IncludeHidden.png\",\"width\":620,\"height\":60,\"caption\":\"forward rules powershell IncludeHidden\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Splunk\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/splunk\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detect hidden inbox forward rule in On-Premise Exchange\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Detect hidden inbox forward rule in On-Premise Exchange - CyberSecThreat","description":"discuss detect hidden inbox forward rule in On-Premise Exchange... discuss On-Premise Microsoft Exchange such as Exchange 2013, 2016 & 2019.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/","og_locale":"zh_TW","og_type":"article","og_title":"Detect hidden inbox forward rule in On-Premise Exchange","og_description":"In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims's email to an email account under attacker's control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules. There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That's why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.","og_url":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2020-07-08T11:07:19+00:00","article_modified_time":"2024-04-01T05:51:20+00:00","og_image":[{"width":620,"height":60,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"6 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"Detect hidden inbox forward rule in On-Premise Exchange","datePublished":"2020-07-08T11:07:19+00:00","dateModified":"2024-04-01T05:51:20+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/"},"wordCount":647,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png","keywords":["Blue Team","Exchange","Incident Response","PowerShell","Red Team","Splunk","Threat Hunting"],"articleSection":["Blue Team","Incident Response","PowerShell","Red Team","Splunk","Threat Hunting"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/","url":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/","name":"Detect hidden inbox forward rule in On-Premise Exchange - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png","datePublished":"2020-07-08T11:07:19+00:00","dateModified":"2024-04-01T05:51:20+00:00","description":"discuss detect hidden inbox forward rule in On-Premise Exchange... discuss On-Premise Microsoft Exchange such as Exchange 2013, 2016 & 2019.","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png","width":620,"height":60,"caption":"forward rules powershell IncludeHidden"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Splunk","item":"https:\/\/cybersecthreat.com\/category\/splunk\/"},{"@type":"ListItem","position":2,"name":"Detect hidden inbox forward rule in On-Premise Exchange"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/detect-hidden-inbox-forward-rule-in-on-premise-exchange\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":42,"label":"Blue Team"},{"value":43,"label":"Incident Response"},{"value":28,"label":"PowerShell"},{"value":40,"label":"Red Team"},{"value":23,"label":"Splunk"},{"value":45,"label":"Threat Hunting"}],"post_tag":[{"value":21,"label":"Blue Team"},{"value":38,"label":"Exchange"},{"value":19,"label":"Incident Response"},{"value":29,"label":"PowerShell"},{"value":17,"label":"Red Team"},{"value":20,"label":"Splunk"},{"value":30,"label":"Threat Hunting"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/forwardrules_powershell_IncludeHidden.png",620,60,false],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":1,"category_info":[{"term_id":42,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":42,"taxonomy":"category","description":"","parent":0,"count":14,"filter":"raw","cat_ID":42,"category_count":14,"category_description":"","cat_name":"Blue Team","category_nicename":"blue-team","category_parent":0},{"term_id":43,"name":"Incident Response","slug":"incident-response","term_group":0,"term_taxonomy_id":43,"taxonomy":"category","description":"","parent":0,"count":5,"filter":"raw","cat_ID":43,"category_count":5,"category_description":"","cat_name":"Incident Response","category_nicename":"incident-response","category_parent":0},{"term_id":28,"name":"PowerShell","slug":"powershell","term_group":0,"term_taxonomy_id":28,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":28,"category_count":3,"category_description":"","cat_name":"PowerShell","category_nicename":"powershell","category_parent":0},{"term_id":40,"name":"Red Team","slug":"red-team","term_group":0,"term_taxonomy_id":40,"taxonomy":"category","description":"","parent":0,"count":6,"filter":"raw","cat_ID":40,"category_count":6,"category_description":"","cat_name":"Red Team","category_nicename":"red-team","category_parent":0},{"term_id":23,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":23,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":23,"category_count":10,"category_description":"","cat_name":"Splunk","category_nicename":"splunk","category_parent":0},{"term_id":45,"name":"Threat Hunting","slug":"threat-hunting","term_group":0,"term_taxonomy_id":45,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":45,"category_count":3,"category_description":"","cat_name":"Threat Hunting","category_nicename":"threat-hunting","category_parent":0}],"tag_info":[{"term_id":21,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":21,"taxonomy":"post_tag","description":"","parent":0,"count":13,"filter":"raw"},{"term_id":38,"name":"Exchange","slug":"exchange","term_group":0,"term_taxonomy_id":38,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":19,"name":"Incident Response","slug":"incident-response","term_group":0,"term_taxonomy_id":19,"taxonomy":"post_tag","description":"","parent":0,"count":6,"filter":"raw"},{"term_id":29,"name":"PowerShell","slug":"powershell","term_group":0,"term_taxonomy_id":29,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"},{"term_id":17,"name":"Red Team","slug":"red-team","term_group":0,"term_taxonomy_id":17,"taxonomy":"post_tag","description":"","parent":0,"count":6,"filter":"raw"},{"term_id":20,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":20,"taxonomy":"post_tag","description":"","parent":0,"count":8,"filter":"raw"},{"term_id":30,"name":"Threat Hunting","slug":"threat-hunting","term_group":0,"term_taxonomy_id":30,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=145"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/145\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/214"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}