Exchange Plugin & Transport Agent

Overview

The Microsoft Exchange plugin is installed on the Microsoft Exchange Server and will monitor the contents of your emails for malicious URLs and other indicators of compromise from an external domain into your domain.

Detecting phishing is one of the many ways InsightIDR monitors for suspicious activity in an organization’s network. This allows an organization to look through links that have been received in e-mails. You can flag suspicious links and warn people about these links in the future and you can investigate bad domains as well. Integration with Google Safe Browsing allows email links that have been flagged as malicious by Google Safe Browsing to automatically trigger an incident.

In order for this functionality to working InsightIDR, you must add and configure a Microsoft Exchange event source.

Get the transport agent

The Exchange Plugin is not available unless requested. If you are a POC Customer or a QuickStart customer, contact your Rapid7 representative to get the agent. If you are neither, contact the InsightIDR support team (support@rapid7.com).

Setup Process

Your computer also must have the Exchange Management Console installed on it. If Microsoft .NET 3.5 is not already installed on the Exchange server, download and install it as well.

Select a free port

  1. On the event source page, select a free port on the computer running the collector.
  2. Note the port and IP address of the computer. This port listens for inbound communications from the Exchange transport agent.

Verify incoming connections

  1. On the computer running the collector, verify that the port you selected allows incoming connections through your firewall.
  2. Perform additional configuration steps as required (for example, allowing incoming connections through the Windows Firewall).
  3. Save the event source. This activates a port listener on the collector.

Install the transport agent

To install the transport agent, you must have administrator rights on the server.

  1. Launch a cmd.exe window with the Run as administrator command.
  2. Run the installer with the command msiexec /I <installername.msi>
  3. Enter the port number and IP address that you noted earlier.

The installation will not proceed without verifying that it can connect to the IP address and port that was specified. After the installation, the Exchange Transport Agent runs automatically.

Note: The transport agent requires Administrator rights to install. Please ensure the Administrator account used to install the transport agent is a member of the Exchange Organization Administrators group prior to installation.

Verifying Setup

A few minutes after the setup completes, the admin can send a self addressed email with a unique link; for example, http://www.testing1234.com. After a few more minutes, search in InsightIDR for that URL. It should result in a page indicating the recipient.

If the link does not appear in InsightIDR within a reasonable amount of time, the admin can investigate into the issue by looking at the logs generated by the Exchange Transport Agent.

After a successful setup, the C:\ProgramData\Rapid7 folder should exist, and it should contain a log file called data.log. In that log file, you should see some lines like this:


2014-05-08 18:03:53,098 [1] INFO  PhishingMonitorTransportAgent.LoadConfig
[(null)] - LoadConfig: loaded config
at C:\Program Files\Rapid7\ExchangeAgent\config.json
2014-05-08 18:03:53,101 [1] INFO  PhishingMonitorTransportAgent.TcpDataClient
[(null)] - TcpDataClient: Connected
to host: 192.168.50.4 and port: 8999

These will not be the lines verbatim, but there should be loaded config at and Connected to host lines in the log files. This verifies that the agent is talking to the collector properly. These logs will rotate and are capped at a size of 100MB.

Running alongside spam filters

If the spam filter is installed on the same server as the Exchange Transport Agent, the order of execution between the two depends on the order of installation. To force the spam filter to execute first, use the set-transportagent powershell cmdlet.

See Using the Shell to configure a transport for specifying a transport agent’s priority:

The following text is from Set-TransportAgent:

"The Priority parameter specifies the priority of the transport agent. The priority of the transport agent controls the order in which the transport agents process e-mail messages. The priority must be a value between 0 and the maximum number of transport agents. The default behavior is to append a new transport agent to the end of the priority list. Transport agents with a priority closest to 0 process e-mail messages first.

High Level Design and Data Flow

The Exchange Transport Agent sits on the Exchange server and parses e-mails for links. Once it captures this data, it sends the data over the Transmission Control Protocol (TCP) across the internal network to the collector. After the collector aggregates the data, that data is sent to the cloud via the normal collector mechanism.

In order for this feature to work, the Exchange machines transmit the email link data to the collector instance. This requires that a port be opened on the collector machine via the event source mechanism in InsightIDR.

Collected Data

This is the data that is being collected by the Exchange Transport Agent for each email that
contains links:

  • sender: the sender email address
  • sender domain: the domain that this email was sent from
  • recipients: a list of recipients of this email
  • timestamp: when was this email sent
  • id: an internal ID for the email
  • links: a list of URLs and optional labels for links found in the email

Resource Impact

The Exchange Plugin has very low impact on CPU and RAM utilization, as shown in the tables below.

Date
Time
Average CPU Load (%)

16-May-15

12:00 PM

1

17-May-15

12:00 PM

8

18-May-15

12:00 PM

0

19-May-15

12:00 PM

0

20-May-15

12:00 PM

0

1-Jun-15

12:00 PM

0

23-Sep-15

12:00 PM

0

23-Sep-15

12:00 PM

0

Date
Time
Average RAM Usage

16-May-15

12:00 PM

787.4 MB

17-May-15

12:00 PM

811.6 MB

18-May-15

12:00 PM

827.0 MB

19-May-15

12:00 PM

860.6 MB

20-May-15

12:00 PM

861.2 MB

21-May-15

12:00 PM

862.6 MB

1-Jun-15

12:00 PM

758.3 MB

13-Jul-15

12:00 PM

752.3 MB

Troubleshooting

If the installer fails, run it from the command line with the following parameters:

> msiexec /I <installername.msi> /L*vx out.log

Send the out.log file to Rapid7 support (support@rapid7.com) to investigate.

If there is no connected to host in the log file, the exchange transport agent was unable to connect to the collector. In cases like this, make sure that the port/IP address that is specified in the log file is the correct one. If it is not the correct combination or the collector has moved, then change the IP address and port in the config.json file found in C:\Program Files\Rapid7\ExchangeAgent, or whatever the user-specified install location was. After saving the file, restart the MSExchangeTransport service and verify that the log file contains connected to host in it after the service restart.

If the log file is empty or doesn't exist, there could have been some problems during the installation. Try opening up the Exchange Management Console and type in GetTransportAgent and see if PhishingMonitorTransportAgent shows up under the Identity column.

If it does, then make sure that it is enabled as well. If it does not show up in there, attempt to uninstall the product and install it again.

If none of the steps above work, please contact Rapid7 customer support for further assistance.

For documentation on running the plugin installer to generate debug output, or to monitor the Exchange Management Shell during installation, please visit this page.

Exchange Plugin & Transport Agent