TransportRules‐Analyzer
TransportRules-Analyzer.ps1 is a simple PowerShell script utilized to beautify the transport rules information extracted via Microsoft-Extractor-Suite by Invictus-IR.
Transport Rules (or mail flow rules) are similar to the Inbox Rules. The main difference is that the Transport Rule take action on messages while they're in transit, and not after the message is delivered to the mailbox. An adversary or insider threat may create/modify a transport rule to exfiltrate data or evade defenses.
Fig 1: TransportRules-Analyzer
Note
A transport rule is configured on the entire email flow of an organization and can only be configured by users with administrative roles/permissions. Its is a set of policies that allow organizations to apply specific actions and conditions to incoming or outgoing email messages.
Transport Rules (Mail Flow Rules) in Exchange Online
Mastering Email Forwarding Rules in Microsoft 365
Get-Transport
New-TransportRule
Set-TransportRules