Improvements to sus inbox rule detection

syne0 · Sep 11, 2024 · 147f1fa · 147f1fa
1 parent ee1c95b
commit 147f1fa
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 16 deletions.
diff --git a/Osprey/changelog.md b/Osprey/changelog.md
@@ -1,4  1,9 @@
 # Changelog
 ## 1.0.3 (2024-09-11)
 - EULA now only prompts once per Osprey install.
 - SkipUpdate flag now actually works.
 - Added validation to ensure correct version of EXO PowerShell is installed to bypass errors related to EXO and Graph and Azure.Core.dll.
 - Moved suspicious inbox rule detection to it's own function, added additional criteria to flag.
 ## 1.0.2 (2024-08-31)
 - Removed PSAppInsights dependencies and features.
 - Fixed various bugs found during public testing.

diff --git a/Osprey/functions/Tenant/Get-OspreyTenantExchangeLogs.ps1 b/Osprey/functions/Tenant/Get-OspreyTenantExchangeLogs.ps1
@@ -66,22  66,23 @@ Function Get-OspreyTenantExchangeLogs {
             }
         }
         $NewRuleReport | Out-MultipleFileType -fileprefix "New_InboxRule" -csv
 
         #sus rule investigation
         $InvestigateLog = @()
         Foreach ($rule in $NewRuleReport) {
-            $Investigate = $false
-            if ($rule.DeleteMessage -eq $true) { $Investigate = $true }
-            if (!([string]::IsNullOrEmpty($rule.ForwardAsAttachmentTo))) { $Investigate = $true }
-            if (!([string]::IsNullOrEmpty($rule.ForwardTo))) { $Investigate = $true }
-            if (!([string]::IsNullOrEmpty($rule.RedirectTo))) { $Investigate = $true }
-            if ($rule.MoveToFolder -in "Archive", "Conversation History", "RSS Subscription") { $Investigate = $true }
-
 
             #comparison, call function
             $investigate = Compare-SusInboxRule -InboxRule $rule
             #if the function call returns true
             #doing it this exact way probably isnt best practice but it works sooooo idc
             if ($Investigate -eq $true) {
                 $InvestigateLog  = $rule
                 Out-LogFile ("Possible Investigate inbox rule found! ID:"   $rule.Id) -notice
             }
         }
 
         #if investigation-worthy rules were found, output those to csv.
-        if ($null -ne $InvestigateLog) {
         if ($InvestigateLog.count -gt 0) {
             $InvestigateLog | Out-MultipleFileType -fileprefix "_Investigate_New_InboxRule" -csv -notice
         }
     }

diff --git a/Osprey/functions/User/Get-OspreyUserInboxRule.ps1 b/Osprey/functions/User/Get-OspreyUserInboxRule.ps1
@@ -48,15  48,9 @@ Function Get-OspreyUserInboxRule {
 
             #then for each rule we check for investigate rules
             foreach ($Rule in $SimpleInboxRules) {
-                $Investigate = $false #reset var
 
-                # Evaluate each of the properties that we know bad actors like to use and flip the flag if needed
-                if ($rule.DeleteMessage -eq $true) { $Investigate = $true }
-                if (!([string]::IsNullOrEmpty($rule.ForwardAsAttachmentTo))) { $Investigate = $true }
-                if (!([string]::IsNullOrEmpty($rule.ForwardTo))) { $Investigate = $true }
-                if (!([string]::IsNullOrEmpty($rule.RedirectTo))) { $Investigate = $true }
-                if ($rule.MoveToFolder -in "Archive", "Conversation History", "RSS Subscription") { $Investigate = $true }
-
                 #comparison, call function
                 $investigate = Compare-SusInboxRule -InboxRule $rule
                 #if we found some investigate rules, let the user know
                 if ($Investigate -eq $true) {
                     $InvestigateLog  = $rule

diff --git a/Osprey/internal/functions/Compare-SusInboxRule.ps1 b/Osprey/internal/functions/Compare-SusInboxRule.ps1
@@ -0,0  1,25 @@
 <#
 .SYNOPSIS
     Determines if an inbox rule is potentially suspicious
 .DESCRIPTION
     Determines if an inbox rule is potentially suspicious
 .PARAMETER InboxRule
     The inbox rule data
 #> 
 Function Compare-SusInboxRule {
     param
     (
         [Parameter(Mandatory = $true)]
         [array]$InboxRule
     )
 
     $investigate = $false
     if ((($InboxRule.DeleteMessage -eq $true) -and ($InboxRule.MarkAsRead -eq $true)) -or ($InboxRule.DeleteMessage -eq $true)) { $Investigate = $true }
     if (!([string]::IsNullOrEmpty($InboxRule.ForwardAsAttachmentTo))) { $Investigate = $true }
     if (!([string]::IsNullOrEmpty($InboxRule.ForwardTo))) { $Investigate = $true }
     if (!([string]::IsNullOrEmpty($InboxRule.RedirectTo))) { $Investigate = $true}
     if ($InboxRule.MoveToFolder -in "Archive", "Conversation History", "RSS Subscription") { $Investigate = $true }
     if ($InboxRule.RuleName -like '*.*' -or $InboxRule.RuleName -like '*,*' -or $InboxRule.RuleName -like '*"*'){ $Investigate = $true }
 
     return $Investigate
 }