Attackers like to abuse Outlook for a variety of purposes. For example, an attacker could auto forward emails to a remote address or persist inside a network by creating client-side rules that execute a malicious program/script when a user receives an email. Is there a way to query the Outlook rules stored in Exchange in order to detect potentially malicious rules? Is it possible to block some some Outlook rules types (e.g. executing a program/script)?
Asked
Active
Viewed 1,898 times
2 Answers
0
In Exchange
In PowerShell (of course!), there is the somewhat handy Get-InboxRule Technet Link. I say somewhat handy because it can only query against a single mailbox.
- This can be used to spot-check a single mailbox (Finance Users, Executives, users with privileged access, etc.)
- It is also possible to use loops and pipes to iterate through an array, such as one from a CSV.
Since you are trying to detect specific types of rules (leaking information outside the organization), I would suggest you look for some specific rule properties.
DeleteMessage= TrueForwardAsAttachmentTo= (not null)ForwardTo= (not null)
There might be others that are relevant to you. Use Get-InboxRule -Mailbox alias@domain.com | FL to list out all the properties, or reference the Technet article linked.
Not all rules are in Exchange. :(
It's true! Some rule types are in the Outlook client only. This link provides guidance on the rule types that would be more difficult to track down.
blaughw
- 2,297
0
The best solution I'm aware of right now is to use the tool NotRuler. In addition, a half-baked solution is to pull out the binary blob where the rule action binary blob is stored(one example is found here using the Exchange Web Services Managed API) and run strings on the rule action's binary blob and look for any suspicious strings(running strings is a hacky way to analyze the binary block since the structure of the blob is not documented).
tifkin
- 288