Audit-MailboxRuleToExternalRecipient

1.0

Audit-MailboxRuleToExternalRecipient.ps1

                                <#PSScriptInfo

.VERSION 1.0

.GUID 0cf95b8e-66df-4d13-b0f1-976ce0246427

.DESCRIPTION Review user inbox rules to check for delivery external recipients.

.AUTHOR Aaron Guilmette

.COMPANYNAME Microsoft

.COPYRIGHT 2021

.TAGS Azure AzureAD Office365 Outlook Inbox Rule

.LICENSEURI 

.PROJECTURI https://www.undocumented-features.com/2017/11/17/detecting-outlook-exchange-data-exfiltration/

.ICONURI 

.EXTERNALMODULEDEPENDENCIES 

.REQUIREDSCRIPTS 

.EXTERNALSCRIPTDEPENDENCIES 

.RELEASENOTES

#>

<#

.SYNOPSIS

Review user inbox rules to check for delivery external recipients.

.PARAMETER FilePath

Specify path for output file. Default is Date_UserInfoxRuleDataExfiltrationAudit.csv

.LINK

https://blogs.technet.microsoft.com/undocumentedfeatures/?p=2145

.LINK

https://gallery.technet.microsoft.com/Audit-Mailbox-Rules-to-60710f28

.NOTES

2017-11-17    Initial Release

#>

Param (

    $FilePath = ".\$($Date)_UserInboxRuleDataExfiltrationAudit.csv"

    )

$Date = Get-Date -Format yyyyMMdd

$Header = """" + "EmailAddress" + """" + "," + """" + "RuleName" + """" + "," + """" + "Value" + """" + "," + """" + "Note" + """"

$Header | Out-File $FilePath -Force

$Domains = Get-AcceptedDomain

[regex]$RegDomains = '(?i)(' + "\@" + (($Domains.Name | foreach { [regex]::escape($_) }) -join "|") + ')'

$Users = Get-Mailbox -Resultsize Unlimited

foreach ($User in $Users)

{

    $InboxRules = Get-InboxRule -Mailbox $User.PrimarySmtpAddress

    foreach ($Rule in $InboxRules)

    {

        If ($Rule.Enabled -eq $True -and $Rule.ForwardAsAttachmentTo -and $Rule.ForwardAsAttachmentTo -match "smtp" -and $Rule.ForwardAsAttachmentTo -notmatch $RegDomains)

        {

            $RuleData = """" + $User.PrimarySmtpAddress + """" + "," + """" + "ForwardAsAttachmentTo" + """" + "," + """" + $Rule.ForwardAsAttachmentTo -join ";" + """" + "," + """" + "Possible mail forwarding exfiltration.  Message forwarded to domain not in Exchange Online." + """"

            $RuleData | Out-File -FilePath $FilePath -Append

        }

        If ($Rule.Enabled -eq $True -and $Rule.ForwardTo -and $Rule.ForwardTo -match "smtp" -and $Rule.ForwardTo -notmatch $RegDomains)

        {

            $RuleData = """" + $User.PrimarySmtpAddress + """" + "," + """" + "ForwardTo" + """" + "," + """" + $Rule.ForwardTo -join ";" + """" + "," + """" + "Possible mail forwarding exfiltration.  Message forwarded to domain not in Exchange Online." + """"

            $RuleData | Out-File -FilePath $FilePath -Append

        }

        If ($Rule.Enabled -eq $True -and $Rule.RedirectTo -and $Rule.RedirectTo -match "smtp" -and $Rule.RedirectTo -notmatch $RegDomains)

        {

            $RuleData = """" + $User.PrimarySmtpAddress + """" + "," + """" + "RedirectTo" + """" + "," + """" + $Rule.RedirectTo -join ";" + """" + "," + """" + "Possible mail forwarding exfiltration.  Message forwarded to domain not in Exchange Online." + """"

            $RuleData | Out-File -FilePath $FilePath -Append

        }

    }

}

Write-Host -ForegroundColor Green "Reviewed Inbox Rules for users forwarding outside of organization. Report is located at $($FilePath)."