Leveraging M365 Transport Rules and Email Moderation: A Case Study of a Rarely Used TTP in Spear Phishing

Executive Outlook

When confronted with the possibility of cyber threats, the crucial factor is resilience. Organizations that integrate security into their operational frameworks from the outset, rather than treating it as an after-the-fact addition, position themselves most advantageously to navigate the evolving landscape of risks in the present day.  

As email compromise continues to plague organizations of all sizes (especially those owned by Private Equity firms), Enduir synthesizes and applies the lessons learned from hundreds of unique incident response cases into our proactive assessment methodologies.  

Technical Case Study – Enduir the Attack 

Enduir recently assisted a client in a unique case where we observed a shift in attacker behavior that led to over $3mm in lost wire transfers. The attacker not only used traditional Tactics Techniques and Procedures (TTPs), such as the creation of Inbox rules and the manipulation of mailbox permissions, but also utilized a couple not frequently observed – transport rules and email moderation. 

The attacker initially gained access by successfully spear phishing an administrator account with global admin privileges. Upon gaining global admin credentials, the attacker proceeded to log in to the compromised account and create a new and unknown global admin account that they could leverage to remain undetected. At this point, the attacker had the keys to the kingdom; however, to further obfuscate their activity, the attacker leveraged native transport rules and email moderation, which are Microsoft 365 native features to conduct the rest of the attack. 

Transport Rules, or Mail Flow Rules, are like Inbox rules except they act on messages while they are in transit and not after the message is delivered to the mailbox. In this case, the attacker managed to permanently delete and render unrecoverable some Transport Rules. However, the rules where parameters were still visible and intact were created by the attacker to obfuscate their activity from not only the key players who were being targeted in the fraudulent wire transfer but also from the organization’s cybersecurity insight platform and their own cybersecurity team.  This effectively allowed them to operate under the radar, eliminating the chances of early detection. 

Figure 1: Malicious Transport Rule to Evade Detection

Email Moderation, or Moderated Recipients, is a little-known feature within Exchange Online, that allows an administrator to approve messages before they are delivered to intended recipients’ mailboxes. In this case, the attacker leveraged moderation to intercept messages that are temporarily stored in a system mailbox called the arbitration mailbox. The moderator (or attacker in this case) can take one of three actions on the message: Approve, Reject, or Ignore. Additionally, the attacker used Transport Rules to specify the message criteria and set their maliciously created account as the approver of message delivery as well as delete any messages kicked out by the moderation action. 

Figure 2: Malicious Transport Rule Leveraging Email Moderation

Recommendations to Become Resilient 

A few key controls could have prevented this incident from occurring or at least allowed the organization to detect the attack more quickly. These are just some of the foundational configurations that should be validated frequently to ensure the email environment is well protected. 

1. Restrict access to the environment using conditional access policies and correctly enable multi-factor authentication 

In this case, multi-factor authentication was only partially enabled, and the organization was leveraging a non-native enforcement mechanism (i.e., Duo). This led to blind spots in enforcement that was exploited by the Threat Actor.

2. Create separate administrator accounts for each individual administrator and remove mailbox 

Since the global administrator was leveraging their daily use credentials for emails their credentials were directly compromised via spear phishing. If the privileged credentials did not have email accessibility this would not have been possible. 

3. Alert on new administrative user creation or change in privileges 

An alert to out of band communications (e.g., Teams/Slack, text, etc.) could have notified the organization of a newly created and unauthorized administrative account. 

4. Continuously remind and teach employees and administrators alike of cyber best practices 

In this situation, the Global Admin engaged with a phishing email even though it was flagged and contained by the email filter. This goes to show that social engineering awareness and routine training should still be a valuable tool in a company’s multilayered defense to help prevent a damaging attack. 

5. Monitor transport (Mail Flow) rules and alerts 

A periodic review of the most recent mail flow and transport rules would have identified the unauthorized configuration changes. 

                                       Enduir the next Attack and Become Resilient.