ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR015.003
  • Created: 31st May 2024
  • Updated: 09th June 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Email Forwarding Rule

The subject creates an email forwarding rule to transport any incoming emails from one mailbox to another.

Prevention

ID Name Description
PV017Prohibit Email Auto-Forwarding to External Domains, Exchange

Various methods can be used within Exchange to prevent internal emails being auto-forwarded to remote domains. This can prevent exfiltration via email auto-forwarding rules.

Detection

ID Name Description
DT048Data Loss Prevention Solution

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

 

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

DT041Email Gateway

Email gateway solutions offer the ability to trace inbound and outbound emails to an organization. This can be used to retrieve information such as emails sent or received, the subject line, content, attachments, timestamps, and recipients.

DT040Microsoft Exchange Message Trace

Message trace is a feature within Exchange that permits the ability to identify inbound and outbound emails within the organization.

This can be used to see which mailboxes have sent or received emails, the time, the subject line, and recipients.