T1114.003

Email Forwarding Rule

Adversaries may set up email forwarding rules to covertly collect and monitor victim email communications. By creating inbox rules, mailbox-level SMTP forwarding configurations, or Exchange transport rules, adversaries can silently redirect all or targeted messages to attacker-controlled accounts — internal or external — without the victim's awareness. This technique provides persistent intelligence access even after compromised credentials are reset, because forwarding rules survive password changes. Adversaries may also use the Microsoft Messaging API (MAPI) to create hidden inbox rules not visible through Outlook, OWA, or standard Exchange administration tools, enabling long-term covert collection. Threat groups including LAPSUS$, Scattered Spider, Kimsuky, Star Blizzard, and Silent Librarian have actively abused this technique. LAPSUS$ notably created tenant-level Exchange transport rules to forward all organizational email to newly created attacker-controlled accounts, achieving org-wide collection with a single rule.

Microsoft Sentinel / Defender

kusto

let ForwardingOps = dynamic([
    "New-InboxRule", "Set-InboxRule", "Enable-InboxRule",
    "New-TransportRule", "Set-TransportRule", "Enable-TransportRule"
]);
let ForwardingParams = dynamic([
    "ForwardTo", "ForwardAsAttachmentTo", "RedirectTo",
    "ForwardingSmtpAddress", "ForwardingAddress", "DeliverToMailboxAndForward",
    "RedirectMessageTo", "BlindCopyTo"
]);
OfficeActivity
| where TimeGenerated > ago(24h)
| where OfficeWorkload == "Exchange"
| where (Operation in~ (ForwardingOps))
    or (Operation =~ "Set-Mailbox" and Parameters has_any (ForwardingParams))
| where Parameters has_any (ForwardingParams)
| mv-expand ParsedParam = todynamic(Parameters)
| extend ParamName = tostring(ParsedParam.Name), ParamValue = tostring(ParsedParam.Value)
| where ParamName in~ (ForwardingParams)
| where ParamValue !in ("", "False", "false", "null", "[]")
| extend IsExternalTarget = ParamValue has "@" and not (ParamValue has ".onmicrosoft.com")
| extend IsTransportRule = Operation in~ ("New-TransportRule", "Set-TransportRule", "Enable-TransportRule")
| extend HiddenRule = Parameters has "HideRule" or Parameters has "Hidden"
| extend SeverityScore = iff(IsExternalTarget, 2, 0)
    + iff(IsTransportRule, 3, 1)
    + iff(HiddenRule, 3, 0)
| project TimeGenerated, UserId, ClientIP, Operation,
          ForwardTarget = ParamValue, ForwardParam = ParamName,
          AffectedMailbox = OfficeObjectId,
          IsExternalTarget, IsTransportRule, HiddenRule, SeverityScore
| sort by SeverityScore desc, TimeGenerated desc

high severity high confidence

Data Sources

Application Log: Application Log Content Microsoft 365 Unified Audit Log Exchange Admin Audit Log

Required Tables

OfficeActivity

False Positives

IT administrators legitimately configuring mailbox forwarding for departing employees, shared mailboxes, or role-based accounts (e.g., [email protected] forwarding to a team alias)
Email migration or business continuity projects where mailboxes temporarily forward to a backup system or authorized external partner domain
Compliance and legal hold transport rules that copy mail to an approved Microsoft Purview or third-party archiving system
Automated helpdesk or ticketing systems (e.g., Zendesk, Freshdesk connectors) that create inbox rules to process and route support email to the correct queue
Authorized SOC or phishing response configurations forwarding reported phishing emails to an analysis mailbox

Splunk

spl

index=o365 sourcetype="o365:management:activity" Workload=Exchange
  (Operation IN ("New-InboxRule","Set-InboxRule","Enable-InboxRule",
                 "New-TransportRule","Set-TransportRule","Enable-TransportRule")
   OR (Operation="Set-Mailbox"
       AND (Parameters{}.Name="ForwardingSmtpAddress"
            OR Parameters{}.Name="ForwardingAddress"
            OR Parameters{}.Name="DeliverToMailboxAndForward")))
| spath path=Parameters{} output=param_entries
| mvexpand param_entries
| spath input=param_entries path=Name output=ParamName
| spath input=param_entries path=Value output=ParamValue
| where ParamName IN ("ForwardTo","ForwardAsAttachmentTo","RedirectTo",
                      "ForwardingSmtpAddress","ForwardingAddress",
                      "DeliverToMailboxAndForward","RedirectMessageTo","BlindCopyTo")
| where ParamValue!="" AND ParamValue!="False" AND ParamValue!="false" AND ParamValue!="null"
| eval IsExternal=if(match(ParamValue,"@") AND NOT match(lower(ParamValue),"onmicrosoft\\.com"), 1, 0)
| eval IsTransportRule=if(match(Operation,"TransportRule"), 1, 0)
| eval HiddenRule=if(match(_raw,"HideRule|Hidden"), 1, 0)
| eval SeverityScore=(IsExternal*2) + (IsTransportRule*3) + (HiddenRule*3) + 1
| table _time, UserId, ClientIP, Operation, ParamName, ParamValue, ObjectId, IsExternal, IsTransportRule, HiddenRule, SeverityScore
| sort - SeverityScore, - _time

high severity high confidence

Data Sources

Application Log: Application Log Content Microsoft 365 Management Activity API Splunk Add-on for Microsoft Office 365 (TA-o365)

Required Sourcetypes

o365:management:activity

False Positives

IT administrators legitimately configuring mailbox forwarding for departing employees or shared mailboxes routing to team aliases
Email migration or business continuity projects forwarding to authorized backup or partner systems
Compliance transport rules copying mail to approved archiving or eDiscovery systems such as Microsoft Purview
Automated helpdesk or ticketing connectors creating inbox rules to route support email to processing queues
Authorized SOC phishing response configurations forwarding reported messages to analysis mailboxes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username AS user_id,
  sourceip AS client_ip,
  QIDNAME(qid) AS operation,
  "UTF8"(payload) AS raw_payload,
  CASE
    WHEN LOWER("UTF8"(payload)) LIKE '%transportrule%' THEN 3
    ELSE 1
  END +
  CASE
    WHEN "UTF8"(payload) LIKE '%@%'
     AND LOWER("UTF8"(payload)) NOT LIKE '%onmicrosoft.com%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN LOWER("UTF8"(payload)) LIKE '%hiderule%'
      OR LOWER("UTF8"(payload)) LIKE '%hidden%' THEN 3
    ELSE 0
  END AS severity_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Office 365%'
  AND (
    QIDNAME(qid) ILIKE '%New-InboxRule%' OR
    QIDNAME(qid) ILIKE '%Set-InboxRule%' OR
    QIDNAME(qid) ILIKE '%Enable-InboxRule%' OR
    QIDNAME(qid) ILIKE '%New-TransportRule%' OR
    QIDNAME(qid) ILIKE '%Set-TransportRule%' OR
    QIDNAME(qid) ILIKE '%Enable-TransportRule%' OR
    QIDNAME(qid) ILIKE '%Set-Mailbox%'
  )
  AND (
    "UTF8"(payload) ILIKE '%ForwardTo%' OR
    "UTF8"(payload) ILIKE '%ForwardAsAttachmentTo%' OR
    "UTF8"(payload) ILIKE '%RedirectTo%' OR
    "UTF8"(payload) ILIKE '%ForwardingSmtpAddress%' OR
    "UTF8"(payload) ILIKE '%ForwardingAddress%' OR
    "UTF8"(payload) ILIKE '%DeliverToMailboxAndForward%' OR
    "UTF8"(payload) ILIKE '%RedirectMessageTo%' OR
    "UTF8"(payload) ILIKE '%BlindCopyTo%'
  )
  AND LAST 24 HOURS
ORDER BY severity_score DESC, event_time DESC

high severity medium confidence

Data Sources

Microsoft Office 365 log source (DSM) IBM QRadar O365 integration via Microsoft Graph API or Syslog forwarding

Required Tables

events

False Positives

Help desk or IT operations staff running Exchange PowerShell scripts to bulk-configure forwarding for departing employees as part of offboarding procedures
Email migration projects where transport rules are created to route mail during cutover between Exchange environments or tenants
Third-party email security products (e.g., Mimecast, Proofpoint) that configure transport rules programmatically for journaling or compliance archiving

Sumo Logic CSE

sql

_sourceCategory="o365" OR _sourceCategory="microsoft/o365"
| json field=_raw "Workload" as workload
| json field=_raw "Operation" as operation
| json field=_raw "UserId" as user_id
| json field=_raw "ClientIP" as client_ip
| json field=_raw "ObjectId" as affected_mailbox
| where workload = "Exchange"
| where operation in ("New-InboxRule","Set-InboxRule","Enable-InboxRule",
                      "New-TransportRule","Set-TransportRule","Enable-TransportRule",
                      "Set-Mailbox")
| json field=_raw "Parameters" as params_array
| parse regex field=params_array "\{\"Name\":\"(?<param_name>[^\"]+)\",\"Value\":\"(?<param_value>[^\"]+)\"\}" multi
| where param_name in ("ForwardTo","ForwardAsAttachmentTo","RedirectTo",
                       "ForwardingSmtpAddress","ForwardingAddress",
                       "DeliverToMailboxAndForward","RedirectMessageTo","BlindCopyTo")
| where param_value != "" and param_value != "False" and param_value != "false" and param_value != "null"
| if (param_value matches "*@*" and !(param_value matches "*onmicrosoft.com*"), 1, 0) as is_external
| if (operation matches "*TransportRule*", 1, 0) as is_transport_rule
| if (_raw matches "*HideRule*" or _raw matches "*Hidden*", 1, 0) as hidden_rule
| (is_external * 2) + (is_transport_rule * 3) + (hidden_rule * 3) + 1 as severity_score
| fields _messageTime, user_id, client_ip, operation, param_name, param_value, affected_mailbox, is_external, is_transport_rule, hidden_rule, severity_score
| sort by severity_score, _messageTime desc

high severity high confidence

Data Sources

Microsoft Office 365 Audit Logs (Cloud-to-Cloud source or HTTP source) Sumo Logic O365 App

Required Tables

_sourceCategory=o365 _sourceCategory=microsoft/o365

False Positives

Legitimate email archiving or compliance solutions (e.g., Veeam, AvePoint) that configure mailbox-level forwarding to journal mailboxes
HR or legal teams setting up monitored mailbox forwarding for employee investigations with proper authorization and documentation
Shared mailbox management where admins configure forwarding to team distribution lists for business continuity

Google Chronicle / SecOps

yaral

rule email_forwarding_rule_t1114_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of email forwarding rules in Microsoft 365 Exchange, including inbox rules, transport rules, and mailbox-level SMTP forwarding. Covers external forwarding, org-wide transport rules, and hidden rules associated with T1114.003."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1114.003"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.product_name = "Office 365"
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type in~ (
      "New-InboxRule", "Set-InboxRule", "Enable-InboxRule",
      "New-TransportRule", "Set-TransportRule", "Enable-TransportRule",
      "Set-Mailbox"
    )
    (
      $e.security_result.rule_name = "ForwardTo" or
      $e.security_result.rule_name = "ForwardAsAttachmentTo" or
      $e.security_result.rule_name = "RedirectTo" or
      $e.security_result.rule_name = "ForwardingSmtpAddress" or
      $e.security_result.rule_name = "ForwardingAddress" or
      $e.security_result.rule_name = "DeliverToMailboxAndForward" or
      $e.security_result.rule_name = "RedirectMessageTo" or
      $e.security_result.rule_name = "BlindCopyTo" or
      re.regex($e.target.resource.attribute.labels["parameters"], `(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|ForwardingSmtpAddress|ForwardingAddress|DeliverToMailboxAndForward|RedirectMessageTo|BlindCopyTo)`)
    )
    $e.principal.user.userid != ""

  condition:
    $e
}

high severity high confidence

Data Sources

Microsoft Office 365 logs ingested via Chronicle O365 feed Google Chronicle SIEM with Microsoft 365 integration

Required Tables

UDM events from Microsoft O365 log ingestion

False Positives

Exchange administrators using PowerShell automation scripts to configure forwarding for onboarding/offboarding workflows during business hours from known admin workstations
Email security gateway products that create transport rules for spam filtering, DLP enforcement, or message hygiene policies
Managed service providers (MSPs) administering tenant Exchange configurations on behalf of customers, generating forwarding rule events from external IP ranges

CrowdStrike LogScale (CQL)

cql

// T1114.003 — Email Forwarding Rule Detection via CrowdStrike Falcon LogScale
// Targets O365 audit events ingested via Falcon's Microsoft Graph integration
#event_simpleName = "O365AuditEvent"
| Workload = "Exchange"
| Operation in~ ["New-InboxRule", "Set-InboxRule", "Enable-InboxRule",
                 "New-TransportRule", "Set-TransportRule", "Enable-TransportRule",
                 "Set-Mailbox"]
| regex(field=Parameters, regex="(?i)(ForwardTo|ForwardAsAttachmentTo|RedirectTo|ForwardingSmtpAddress|ForwardingAddress|DeliverToMailboxAndForward|RedirectMessageTo|BlindCopyTo)")
| regex(field=Parameters, regex='"Value":"(?P<ForwardTarget>[^"]+)"')
| ForwardTarget != ""
| ForwardTarget != "False"
| ForwardTarget != "false"
| ForwardTarget != "null"
| IsExternal := if(match(field=ForwardTarget, regex="@") and !match(field=ForwardTarget, regex="(?i)onmicrosoft\\.com"), then=1, else=0)
| IsTransportRule := if(match(field=Operation, regex="(?i)TransportRule"), then=3, else=1)
| HiddenRule := if(match(field=Parameters, regex="(?i)(HideRule|Hidden)"), then=3, else=0)
| SeverityScore := (IsExternal * 2) + IsTransportRule + HiddenRule
| table([timestamp, UserId, ClientIP, Operation, ForwardTarget, AffectedMailbox, IsExternal, IsTransportRule, HiddenRule, SeverityScore])
| sort(SeverityScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon platform with Microsoft 365 integration enabled O365AuditEvent log type from Falcon's Graph API connector

Required Tables

O365AuditEvent (Falcon Microsoft 365 integration)

False Positives

Legitimate administrative PowerShell automation running from known admin accounts to configure shared mailbox forwarding during business hours
Third-party SaaS CRM or ticketing integrations (e.g., Salesforce, Zendesk) that create inbox rules to parse inbound email into ticket systems
Internal email routing configurations applied by Exchange admins as part of organizational restructuring, domain migrations, or mergers and acquisitions

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1114.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Email Forwarding Rule

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections