Summary
The following states Connor Group's policies and practices for the use of forwarding email address to external recipients using blanket forwarding rules.
Forwarding and redirect rules are commonly used by attackers who have compromised a user's credentials. It allows them to send messages that come from legitimate users without their knowledge. These messages often include links and attachments to phishing sites and malware. They also are used with social engineering attacks to act as a sort of man in the middle using a legitimate account to deceive another person into taking action they otherwise wouldn't if the message was coming from a less trusted source. Creation of forwarding and redirect rules is a red flag that must be investigated for malicious activity.
Policy
Connor Group has a number of contractual, legal, and ethical obligations to ensure that company and client data is only accessible by employees, vendors, sub-contractors and clients that have been authorized to access the data and have a legitimate business reason to do so. Additionally, Connor Group expects that business related correspondence be done using resources managed by Connor Group security and record keeping policies and within Connor Group's branding sphere (domain names, marketing materials, letterhead, etc).
Therefore, the use of a blanket forwarding rule on company email accounts to relay messages to an external recipient is not permitted unless approved through an IT Support request. Users are expected to use their company provided messaging resources for correspondence related to company business when either sending or receiving messages.
Exceptions to this policy may be requested by contacting the IT Support team. The request for an exception must provide a business use case and a description of the expected correspondence activities. The proposed use case and correspondence description must state, or demonstrate an obvious implication, why this exception will not create:
- an elevated potential for company or client data to be exposed to unauthorized parties
- a branding mismatch in correspondence
- business activities being conducted outside of Connor Group's security and record keeping policies
Established Exceptions
RevGurus
An exception to this policy has been generally approved for RevGuru users forwarding their mail to the RevGuru accounts.
IT Process
Alert policies are in place to monitor for the creation of these types of forwarding rules. An IT support ticket is generated when one is found.
Investigation
IT Support should investigate the mailbox settings generating the alert. Forwarding rules can be created with "rules" or the "forwarding" setting on a mailbox.
The following commands provide an example of what to look for.
This command shows the "forwarding" settings for a mailbox:
get-mailbox [email protected] | select primarysmtpAddress,ForwardingAddress,ForwardingSmtpAddress,DeliverToMailboxAndForward | fl
PrimarySmtpAddress : [email protected]
ForwardingAddress :
ForwardingSmtpAddress :
DeliverToMailboxAndForward : False
This command shows the "rules" settings for a mailbox with fields relevant to this issue:
Get-InboxRule -Mailbox [email protected] | select Name,Identity,ForwardTo,RedirectTo,Enabled,StopProcessingRules
Get-Mailbox -identity "[email protected]" | select UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForwardName : Forward to [email protected]
Identity : Frank Thomas\3675504553756721153
ForwardTo :
RedirectTo : {"Matt Larsen [External]" [EX:/o=ExchangeLabs/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=user7587e438]}
Enabled : True
StopProcessingRules : False
IT support will determine if the user has created a forwarding rule that generally sends all or most of their their messages to an external recipient or if there is a rule in place that looks suspicious.
If that condition is confirmed, IT support will notify the user creating the rule that this action is not permitted by the company's security policies by creating a new "incident" ticket using the "Message forwarding rule ...." ticket template and setting the user as the requester.
After creating the ticket, reply to the ticket using the canned response "Policy on Blanket Email Forwarding Rules".
Proceed to the remediation steps to remove the forwarding rule.
If the forwarding rule looks suspicious or malicious a security incident ticket must created according to the policy for handling IT security incidents.
Remediation
Support will then disable the forwarding rule by changing settings on the mailbox.
The following PowerShell commands provide an example for doing this:
This example turns off the "forwarding" settings:
set-mailbox [email protected] -ForwardingAddress $null -DeliverToMailboxAndForward $False -ForwardingSmtpAddress $null
This example deletes the forwarding rule:
Remove-InboxRule -Identity "Frank Thomas\3675504553756721153"
Confirm
Are you sure you want to perform this action?
Removing inbox rule "Frank Thomas\3675504553756721153" from mailbox "Frank Thomas".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
Exceptions
If the user wishes to have an exception to the policy made they should provide IT Support with the business case and description of expected correspondence activities as described in the above policy. IT Support will then forward that information onto the director of IT for review and further instructions.
Escalation
IT Support shall seek help from the IT Engineering team if any part of the investigation or remediation steps are unclear or problematic.