T1114.003 Splunk · SPL

Detect Email Forwarding Rule in Splunk

Adversaries may set up email forwarding rules to covertly collect and monitor victim email communications. By creating inbox rules, mailbox-level SMTP forwarding configurations, or Exchange transport rules, adversaries can silently redirect all or targeted messages to attacker-controlled accounts — internal or external — without the victim's awareness. This technique provides persistent intelligence access even after compromised credentials are reset, because forwarding rules survive password changes. Adversaries may also use the Microsoft Messaging API (MAPI) to create hidden inbox rules not visible through Outlook, OWA, or standard Exchange administration tools, enabling long-term covert collection. Threat groups including LAPSUS$, Scattered Spider, Kimsuky, Star Blizzard, and Silent Librarian have actively abused this technique. LAPSUS$ notably created tenant-level Exchange transport rules to forward all organizational email to newly created attacker-controlled accounts, achieving org-wide collection with a single rule.

MITRE ATT&CK

Tactic
Collection
Technique
T1114 Email Collection
Sub-technique
T1114.003 Email Forwarding Rule
Canonical reference
https://attack.mitre.org/techniques/T1114/003/

SPL Detection Query

Splunk (SPL)
spl 
index=o365 sourcetype="o365:management:activity" Workload=Exchange
  (Operation IN ("New-InboxRule","Set-InboxRule","Enable-InboxRule",
                 "New-TransportRule","Set-TransportRule","Enable-TransportRule")
   OR (Operation="Set-Mailbox"
       AND (Parameters{}.Name="ForwardingSmtpAddress"
            OR Parameters{}.Name="ForwardingAddress"
            OR Parameters{}.Name="DeliverToMailboxAndForward")))
| spath path=Parameters{} output=param_entries
| mvexpand param_entries
| spath input=param_entries path=Name output=ParamName
| spath input=param_entries path=Value output=ParamValue
| where ParamName IN ("ForwardTo","ForwardAsAttachmentTo","RedirectTo",
                      "ForwardingSmtpAddress","ForwardingAddress",
                      "DeliverToMailboxAndForward","RedirectMessageTo","BlindCopyTo")
| where ParamValue!="" AND ParamValue!="False" AND ParamValue!="false" AND ParamValue!="null"
| eval IsExternal=if(match(ParamValue,"@") AND NOT match(lower(ParamValue),"onmicrosoft\\.com"), 1, 0)
| eval IsTransportRule=if(match(Operation,"TransportRule"), 1, 0)
| eval HiddenRule=if(match(_raw,"HideRule|Hidden"), 1, 0)
| eval SeverityScore=(IsExternal*2) + (IsTransportRule*3) + (HiddenRule*3) + 1
| table _time, UserId, ClientIP, Operation, ParamName, ParamValue, ObjectId, IsExternal, IsTransportRule, HiddenRule, SeverityScore
| sort - SeverityScore, - _time
high severity high confidence

Detects email forwarding rule creation and modification using the Microsoft Office 365 Management Activity API logs ingested via the Splunk Add-on for Microsoft Office 365 (TA-o365). Parses the nested JSON Parameters array using spath and mvexpand to identify forwarding targets across inbox rules, mailbox-level SMTP forwarding, and organization-wide transport rules. Scores each event by severity with transport rules (3 points) and hidden rules (3 points) weighted highest due to their broad organizational impact and evasion intent.

Data Sources

Application Log: Application Log ContentMicrosoft 365 Management Activity APISplunk Add-on for Microsoft Office 365 (TA-o365)

Required Sourcetypes

o365:management:activity

False Positives & Tuning

  • IT administrators legitimately configuring mailbox forwarding for departing employees or shared mailboxes routing to team aliases
  • Email migration or business continuity projects forwarding to authorized backup or partner systems
  • Compliance transport rules copying mail to approved archiving or eDiscovery systems such as Microsoft Purview
  • Automated helpdesk or ticketing connectors creating inbox rules to route support email to processing queues
  • Authorized SOC phishing response configurations forwarding reported messages to analysis mailboxes
Download portable Sigma rule (.yml)

Other platforms for T1114.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Inbox Forwarding Rule via Exchange Online PowerShell

    Expected signal: OfficeActivity (Sentinel) and o365:management:activity (Splunk): Operation=New-InboxRule, [email protected], [email protected], Parameters array contains {Name:ForwardTo, Value:[email protected]}. Event appears in Unified Audit Log within 15-60 minutes. Azure AD Sign-In Logs will record the Exchange Online session from the admin account.

  2. Test 2Set Mailbox-Level SMTP Forwarding via Set-Mailbox

    Expected signal: OfficeActivity: Operation=Set-Mailbox, Parameters array contains {Name:ForwardingSmtpAddress, Value:[email protected]} and {Name:DeliverToMailboxAndForward, Value:True}. This forwarding is NOT visible via Get-InboxRule — only via Get-Mailbox -Identity victim | fl ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForward.

  3. Test 3Create Org-Wide Transport Rule to Blind-Copy All Mail (LAPSUS$ Pattern)

    Expected signal: OfficeActivity: Operation=New-TransportRule, [email protected], Parameters contains {Name:BlindCopyTo, Value:[email protected]} and {Name:FromScope, Value:InOrganization}. This is NOT logged to individual mailbox audit logs — only appears in Exchange Admin Audit Log and the Unified Audit Log at the tenant level. Transport rule changes take effect within minutes.

  4. Test 4Bulk Enumerate All Mailbox Forwarding Configurations (Reconnaissance Phase)

    Expected signal: OfficeActivity: Multiple Operation=Get-InboxRule events from admin account accessing many mailboxes in rapid succession. High-volume Exchange admin read operations within a short time window generate multiple OfficeActivity records. Azure AD Sign-In Logs record the session. This pattern can be detected with anomaly-based analytics on Exchange admin read volume.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1114.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1114Email Collection

Related Sub-techniques

T1114.001Local Email CollectionT1114.002Remote Email Collection

Related Techniques

T1114Email CollectionT1114.001Local Email CollectionT1114.002Remote Email CollectionT1564.008Email Hiding RulesT1078.004Cloud AccountsT1098.001Additional Cloud CredentialsT1556.006Multi-Factor AuthenticationT1566PhishingT1048Exfiltration Over Alternative Protocol

Same Tactic: Collection

Popular Detections