Introduction
Physicians Primary Care of Southwest Florida has agreed to a substantial data breach settlement following a security incident that exposed the Protected Health Information (PHI) of thousands of patients. While the financial penalties and corrective action plans grab headlines, for security practitioners, this case is a textbook example of the failures plaguing healthcare defense today.
The breach, stemming from unauthorized access to email systems, resulted in the exfiltration of sensitive patient data. This settlement reinforces the OCR's stance that "response" is insufficient without "protection." Defenders must move beyond basic compliance checklists to implementing technical controls that detect and block the initial access vectors common in 2026—specifically, credential-based email compromise.
Technical Analysis
Although the specific initial access vector in the Physicians Primary Care case is a classic example of email system compromise, the mechanics seen in similar 2026 investigations typically involve the following failure points:
- Affected Platforms: Microsoft 365 (Exchange Online) and on-premises Exchange hybrids remain the primary targets due to the high value of PHI residing in inboxes.
- Attack Chain:
- Initial Access: Credential stuffing or targeted spear-phishing bypassing basic email filters.
- Persistence: Attackers establish persistence by creating hidden Inbox Rules or configuring email forwarding to external accounts (often "privacy" focused email services to evade DLP).
- Collection: Automated scripts (PowerShell or MFA-bypassed API access) crawl mailboxes for keywords like "invoice," "medical record," or "insurance."
- Exfiltration: Data is exported via authenticated SMTP sessions or WebDAV downloads, appearing as legitimate user traffic.
- Exploitation Status: This methodology is actively exploited by numerous crime syndicates targeting healthcare entities. It does not rely on a specific CVE (0-day), but rather on the lack of MFA enforcement, weak password policies, and insufficient monitoring of mailbox configuration changes.
Detection & Response
Detecting this type of breach requires focusing on the manipulation of the email environment rather than just the login. Attackers frequently modify mailbox settings to maintain visibility even after the password is reset.
Sigma Rules
---
title: Suspicious Mailbox Forwarding Rule Creation
id: 8c2d1e4f-9a3b-4f5c-8d1e-4f9a3b4f5c8d
status: experimental
description: Detects the creation of inbox rules that forward emails to external recipients, a common persistence mechanism in email compromises.
references:
- https://attack.mitre.org/techniques/T1114/003/
author: Security Arsenal
date: 2026/04/10
tags:
- attack.persistence
- attack.t1114.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'New-InboxRule'
- 'Set-InboxRule'
CommandLine|contains:
- 'ForwardTo'
- 'RedirectTo'
- 'CopyToFolder'
condition: selection
falsepositives:
- Legitimate administrative configuration of forwarding rules
level: high
---
title: Suspicious Outlook PST Export Activity
id: 9d3e2f5a-0b4c-5g6d-9e3e-2f5a0b4c5g6d
status: experimental
description: Detects Microsoft Outlook attempting to export mailbox data to PST files, which may indicate manual data exfiltration.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/10
tags:
- attack.exfiltration
- attack.t1560
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
CommandLine|contains:
- 'pst'
- 'export'
condition: selection
falsepositives:
- Users performing legitimate backups of their mailbox
level: medium
---
title: PowerShell Exchange Online Connection
id: 1a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d
status: experimental
description: Detects PowerShell scripts connecting to Exchange Online Management modules, often used for bulk data extraction.
references:
- https://attack.mitre.org/techniques/T1078/004/
author: Security Arsenal
date: 2026/04/10
tags:
- attack.defense_evasion
- attack.t1078.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Connect-ExchangeOnline'
- 'New-ManagementGroupSession'
condition: selection
falsepositives:
- Administrators performing routine Exchange management
level: low
KQL (Microsoft Sentinel)
This query hunts for users who have enabled email forwarding to external domains, a key indicator of mailbox takeover.
OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule")
| extend Parameters = parse_(Parameters)
| mv-apply Parameter = Parameters on
(
where Parameter.Name == "ForwardTo" or Parameter.Name == "RedirectTo"
project ForwardTo = Parameter.Value
)
| where isnotempty(ForwardTo)
| project TimeGenerated, UserId, Operation, ForwardTo, ClientIP
| extend DomainName = tostring(split(ForwardTo, "@")[1])
| where DomainName !contains "@yourdomain.com" // Filter internal domains
| order by TimeGenerated desc
Velociraptor VQL
Use this artifact to hunt for recently created or modified PST files on user endpoints, which may indicate offline staging of stolen emails.
-- Hunt for recently modified PST files in user directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="\\Users\\*\\*.pst", root="/")
WHERE Mtime > timestamp(now) - duration("7d")
OR Size > 1024 * 1024 * 50 -- Greater than 50MB
Remediation Script (PowerShell)
This script can be used by Incident Responders to identify mailboxes with active forwarding rules to external recipients.
# Connect to Exchange Online
# Connect-ExchangeOnline
# Get all mailboxes with forwarding enabled
$ForwardingMailboxes = Get-Mailbox -ResultSize Unlimited | Where-Object { $_.ForwardingSmtpAddress -ne $null }
if ($ForwardingMailboxes) {
Write-Host "[ALERT] Found mailboxes with external forwarding enabled:" -ForegroundColor Red
foreach ($mailbox in $ForwardingMailboxes) {
[PSCustomObject]@{
User = $mailbox.UserPrincipalName
ForwardingAddress = $mailbox.ForwardingSmtpAddress
DeliverToMailbox = $mailbox.DeliverToMailboxAndForward
}
}
} else {
Write-Host "[INFO] No external forwarding rules detected." -ForegroundColor Green
}
# Check for Inbox Rules
$Mailboxes = Get-Mailbox -ResultSize Unlimited
foreach ($mbx in $Mailboxes) {
$rules = Get-InboxRule -Mailbox $mbx.Identity
foreach ($rule in $rules) {
if ($rule.ForwardTo -or $rule.RedirectTo -or $rule.CopyToFolder) {
Write-Host "[ALERT] Suspicious rule found in $($mbx.UserPrincipalName): $($rule.Name)" -ForegroundColor Yellow
}
}
}
Remediation
To prevent a similar settlement and breach, healthcare entities must enforce the following defensive measures immediately:
-
Enforce Conditional Access (Zero Trust):
- Require Multi-Factor Authentication (MFA) for all users, specifically blocking legacy authentication protocols.
- Implement "Impossible Travel" policies and location-based conditional access to block logins from anomalous geographies.
-
Mailbox Auditing and Alerting:
- Enable Unified Audit Log in M365.
- Configure alerts for "MailItemsAccessed" events and specific PowerShell cmdlets (
New-InboxRule,Set-Mailbox).
-
Disable Automatic Forwarding:
- Configure tenant-wide anti-phishing policies to disable auto-forwarding to external domains. This is a critical stop-gap for data exfiltration.
-
Application of Least Privilege:
- Revoke unnecessary Global Administrator roles. Use role-based access control (RBAC) to limit who can run Exchange Online PowerShell modules.
-
User Awareness Training:
- Conduct targeted phishing simulations focusing on credential harvesting.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.