<  Back to rules search

Exchange Online mail forwarding rule enabled

microsoft-365

Classification:

attack

Tactic:

Technique:

Goal

Detect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.

Strategy

Monitor Microsoft 365 audit logs to look for events with @evt.name value of Set-Mailbox, where a value is set for @Parameters.ForwardingSmtpAddress and the @evt.outcome is True.

Triage and response

  1. Inspect the @Parameters.ForwardingSmtpAddress for {{@usr.email}} to see if it is sending email to an external non-company owned domain.
  2. Determine if there is a legitimate use case for the mail forwarding rule.
  3. If {{@usr.email}} is not aware of the mail forwarding rule, investigate all {{@usr.email}} accounts for anomalous activity.