Audit-TransportRuleExternalRecipient

1.0

Audit-TransportRuleExternalRecipient.ps1

                                <#PSScriptInfo

.VERSION 1.0

.GUID 95aeb2b8-9bb7-47ff-9b7b-f4637b0f4911

.DESCRIPTION Review Exchange Transport Rules to check for delivery external recipients.

.AUTHOR Aaron Guilmette

.COMPANYNAME Microsoft

.COPYRIGHT 2021

.TAGS Azure AzureAD Office365 EXO Exchange Online Transport Ruules

.LICENSEURI 

.PROJECTURI https://www.undocumented-features.com/2017/11/17/detecting-outlook-exchange-data-exfiltration/

.ICONURI 

.EXTERNALMODULEDEPENDENCIES 

.REQUIREDSCRIPTS 

.EXTERNALSCRIPTDEPENDENCIES 

.RELEASENOTES

#>

<#

.SYNOPSIS

Review Exchange Transport Rules to check for delivery external recipients.

.PARAMETER FilePath

Specify path for output file. Default is Date_TransportRuleExternalDomainAudit.csv

.LINK

https://www.undocumented-features.com/2017/11/17/detecting-outlook-exchange-data-exfiltration/

.NOTES

2017-11-17    Initial Release

#>

Param (

    $FilePath = ".\$($Date)_TransportRuleExternalDomainAudit.csv"

)

$Date = Get-Date -Format yyyyMMdd

$Header = """" + "TransportRule" + """" + "," + """" + "Property" + """" + "," + """" + "Value" + """" + "," + """" + "Note" + """"

$Header | Out-File $FilePath -Force

# Check transport rules for rules that are configured to forward messages outside of domain

$Domains = Get-AcceptedDomain

[regex]$RegDomains = '(?i)(' + "\@" + (($Domains.Name | foreach { [regex]::escape($_) }) -join "|") + ')'

#$RegDomains.ToString()

$TransportRules = Get-TransportRule

foreach ($Rule in $TransportRules)

{

    # Check rules that have "Add a To recipient" containing an address not in accepted domains

    If ($Rule.AddToRecipients -and $Rule.AddToRecipients -notmatch $RegDomains)

    {

        $RuleData = """" + $Rule.Name + """" + "," + """" + "AddToRecipients" + """" + "," + """" + $Rule.AddToRecipients -join ";" + """" + "," + """" + "Possible external recipient / data exfiltration" + """"

        $RuleData | Out-File -FilePath $FilePath -Append

    }

    # Check rules that have "Add a Cc recipient" containing an address not in accepted domains

    If ($Rule.CopyTo -and $Rule.CopyTo -notmatch $RegDomains)

    {

        $RuleData = """" + $Rule.Name + """" + "," + """" + "CopyTo" + """" + "," + """" + $Rule.CopyTo -join ";" + """" + "," + """" + "Possible external recipient / data exfiltration" + """"

        $RuleData | Out-File -FilePath $FilePath -Append

    }

    # Check rules that have "Add a Bcc recipient" containing an address not in accepted domains

    If ($Rule.BlindCopyTo -and $Rule.BlindCopyTo -notmatch $RegDomains)

    {

        $RuleData = """" + $Rule.Name + """" + "," + """" + "BlindCopyTo" + """" + "," + """" + $Rule.BlindCopyTo -join ";" + """" + "," + """" + "Possible external recipient / data exfiltration" + """"

        $RuleData | Out-File -FilePath $FilePath -Append

    }

    # Check rules that have "Add a Redirect recipient" containing an address not in accepted domains

    If ($Rule.RedirectMessageTo -and $Rule.RedirectMessageTo -notmatch $RegDomains)

    {

        $RuleData = """" + $Rule.Name + """" + "," + """" + "RedirectMessageTo" + """" + "," + """" + $Rule.RedirectMessageTo -join ";" + """" + "," + """" + "Possible external recipient / data exfiltration" + """"

        $RuleData | Out-File -FilePath $FilePath -Append

    }

}

Write-Host -ForegroundColor Green "Reviewed Transport Rules for rules forwarding messages outside of org. Report is located at $($FilePath)."