- The Workflow
- The Implementation
A classic BEC tactic involves configuring an inbox rule to forward emails to an external address. This script audits an entire Exchange Online tenant for any mailboxes with active forwarding rules to external domains.
1. The Workflow
The script performs the following steps:
- Connection: Authenticates to Exchange Online via module parameters.
- Auditing: Iterates through all user mailboxes checking forwarding properties.
- Evaluation: Compares the forwarding destination against the tenant’s accepted domains.
- Alerting: Outputs a high-priority warning if external exfiltration is detected.
2. The Implementation
Connect-ExchangeOnline -ShowBanner:$false
$AcceptedDomains = (Get-AcceptedDomain).Name
foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) {
if ($Mailbox.ForwardingSmtpAddress) {
$ForwardDestination = $Mailbox.ForwardingSmtpAddress.Replace("smtp:","")
if ($ForwardDestination -notmatch ($AcceptedDomains -join "|")) {
Write-Host "⚠️ EXTERNAL FORWARD: $($Mailbox.UserPrincipalName) -> $ForwardDestination" -ForegroundColor Red
}
}
}