Enhanced Microsoft Exchange External Forwarding Detection

[arielkr256]

Description:

This PR significantly improves the accuracy and capabilities of the Microsoft Exchange external forwarding detection rule. The changes include:

Key Improvements:

• Removed dependency on user configuration - The rule now automatically determines internal domains from the event context instead of relying on predefined allow lists (MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS and MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS)
• Improved external domain detection by properly handling both primary and onmicrosoft.com domains
• Added detection of multiple suspicious forwarding patterns:
  • Forwarding without keeping a copy (DeliverToMailboxAndForward=False)
  • Message deletion after forwarding (DeleteMessage=True)
  • Rule processing termination (StopProcessingRules=True)
• Enhanced handling of multiple forwarding methods:
  • SMTP forwarding
  • Direct forwarding
  • Forwarding as attachment
  • Redirect rules
• Better support for multiple forwarding addresses (semicolon-separated)
• Added comprehensive test cases covering various scenarios
• Improved alert context and title formatting to include suspicious patterns

Documentation Updates:

• Expanded rule description with detailed detection capabilities
• Added MITRE ATT&CK mappings for:
  • Persistence (T1137.005 - Outlook Rules)
  • Collection (T1114.003 - Email Forwarding Rule)
  • Exfiltration (T1020 - Automated Exfiltration)
• Added detailed runbook with investigation and response steps
• Added relevant tags for better categorization

Testing:

The PR includes extensive test cases covering:

• External vs internal domain forwarding
• Subdomain handling
• Multiple forwarding addresses
• Various suspicious patterns
• Edge cases (invalid formats, missing organization info)
• Different TLD scenarios

Impact:

This enhancement will provide better detection coverage for potential data exfiltration attempts via email forwarding while reducing false positives through more accurate domain validation. The removal of configuration dependencies makes the rule more maintainable and reduces the operational overhead of managing allow lists.

[arielkr256]

check-deprecated is failing because the RuleID was moved from the bottom of the file to above the tests for better readability. The RuleID itself has not changed.