Detect Email Forwarding Rule in Microsoft Sentinel
Adversaries may set up email forwarding rules to covertly collect and monitor victim email communications. By creating inbox rules, mailbox-level SMTP forwarding configurations, or Exchange transport rules, adversaries can silently redirect all or targeted messages to attacker-controlled accounts — internal or external — without the victim's awareness. This technique provides persistent intelligence access even after compromised credentials are reset, because forwarding rules survive password changes. Adversaries may also use the Microsoft Messaging API (MAPI) to create hidden inbox rules not visible through Outlook, OWA, or standard Exchange administration tools, enabling long-term covert collection. Threat groups including LAPSUS$, Scattered Spider, Kimsuky, Star Blizzard, and Silent Librarian have actively abused this technique. LAPSUS$ notably created tenant-level Exchange transport rules to forward all organizational email to newly created attacker-controlled accounts, achieving org-wide collection with a single rule.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1114 Email Collection
- Sub-technique
- T1114.003 Email Forwarding Rule
- Canonical reference
- https://attack.mitre.org/techniques/T1114/003/
KQL Detection Query
let ForwardingOps = dynamic([
"New-InboxRule", "Set-InboxRule", "Enable-InboxRule",
"New-TransportRule", "Set-TransportRule", "Enable-TransportRule"
]);
let ForwardingParams = dynamic([
"ForwardTo", "ForwardAsAttachmentTo", "RedirectTo",
"ForwardingSmtpAddress", "ForwardingAddress", "DeliverToMailboxAndForward",
"RedirectMessageTo", "BlindCopyTo"
]);
OfficeActivity
| where TimeGenerated > ago(24h)
| where OfficeWorkload == "Exchange"
| where (Operation in~ (ForwardingOps))
or (Operation =~ "Set-Mailbox" and Parameters has_any (ForwardingParams))
| where Parameters has_any (ForwardingParams)
| mv-expand ParsedParam = todynamic(Parameters)
| extend ParamName = tostring(ParsedParam.Name), ParamValue = tostring(ParsedParam.Value)
| where ParamName in~ (ForwardingParams)
| where ParamValue !in ("", "False", "false", "null", "[]")
| extend IsExternalTarget = ParamValue has "@" and not (ParamValue has ".onmicrosoft.com")
| extend IsTransportRule = Operation in~ ("New-TransportRule", "Set-TransportRule", "Enable-TransportRule")
| extend HiddenRule = Parameters has "HideRule" or Parameters has "Hidden"
| extend SeverityScore = iff(IsExternalTarget, 2, 0)
+ iff(IsTransportRule, 3, 1)
+ iff(HiddenRule, 3, 0)
| project TimeGenerated, UserId, ClientIP, Operation,
ForwardTarget = ParamValue, ForwardParam = ParamName,
AffectedMailbox = OfficeObjectId,
IsExternalTarget, IsTransportRule, HiddenRule, SeverityScore
| sort by SeverityScore desc, TimeGenerated descDetects email forwarding rule creation and modification using the OfficeActivity table in Microsoft Sentinel. Covers inbox rules (New-InboxRule, Set-InboxRule, Enable-InboxRule), mailbox-level SMTP forwarding (Set-Mailbox with ForwardingSmtpAddress or ForwardingAddress), and Exchange transport rules (New-TransportRule, Set-TransportRule). Extracts forwarding targets from the Parameters JSON array via todynamic and mv-expand, then flags external destinations and hidden rules with a composite severity score. Transport rules and hidden rules receive the highest score due to org-wide blast radius and active evasion intent respectively.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators legitimately configuring mailbox forwarding for departing employees, shared mailboxes, or role-based accounts (e.g., [email protected] forwarding to a team alias)
- Email migration or business continuity projects where mailboxes temporarily forward to a backup system or authorized external partner domain
- Compliance and legal hold transport rules that copy mail to an approved Microsoft Purview or third-party archiving system
- Automated helpdesk or ticketing systems (e.g., Zendesk, Freshdesk connectors) that create inbox rules to process and route support email to the correct queue
- Authorized SOC or phishing response configurations forwarding reported phishing emails to an analysis mailbox
Other platforms for T1114.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Inbox Forwarding Rule via Exchange Online PowerShell
Expected signal: OfficeActivity (Sentinel) and o365:management:activity (Splunk): Operation=New-InboxRule, [email protected], [email protected], Parameters array contains {Name:ForwardTo, Value:[email protected]}. Event appears in Unified Audit Log within 15-60 minutes. Azure AD Sign-In Logs will record the Exchange Online session from the admin account.
- Test 2Set Mailbox-Level SMTP Forwarding via Set-Mailbox
Expected signal: OfficeActivity: Operation=Set-Mailbox, Parameters array contains {Name:ForwardingSmtpAddress, Value:[email protected]} and {Name:DeliverToMailboxAndForward, Value:True}. This forwarding is NOT visible via Get-InboxRule — only via Get-Mailbox -Identity victim | fl ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForward.
- Test 3Create Org-Wide Transport Rule to Blind-Copy All Mail (LAPSUS$ Pattern)
Expected signal: OfficeActivity: Operation=New-TransportRule, [email protected], Parameters contains {Name:BlindCopyTo, Value:[email protected]} and {Name:FromScope, Value:InOrganization}. This is NOT logged to individual mailbox audit logs — only appears in Exchange Admin Audit Log and the Unified Audit Log at the tenant level. Transport rule changes take effect within minutes.
- Test 4Bulk Enumerate All Mailbox Forwarding Configurations (Reconnaissance Phase)
Expected signal: OfficeActivity: Multiple Operation=Get-InboxRule events from admin account accessing many mailboxes in rapid succession. High-volume Exchange admin read operations within a short time window generate multiple OfficeActivity records. Azure AD Sign-In Logs record the session. This pattern can be detected with anomaly-based analytics on Exchange admin read volume.
References (10)
- https://attack.mitre.org/techniques/T1114/003/
- https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
- https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
- https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
- https://www.us-cert.gov/ncas/alerts/TA18-086A
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding
- https://github.com/sensepost/ruler
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-inboxrule
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-transportrule
Unlock Pro Content
Get the full detection package for T1114.003 including response playbook, investigation guide, and atomic red team tests.