title: Email Forwarding Rule (T1114.003)
id: df00tech-t1114-003
status: experimental
description: "Adversaries may set up email forwarding rules to covertly collect and monitor victim email communications. By creating inbox rules, mailbox-level SMTP forwarding configurations, or Exchange transport rules, adversaries can silently redirect all or targeted messages to attacker-controlled accounts — internal or external — without the victim's awareness. This technique provides persistent intelligence access even after compromised credentials are reset, because forwarding rules survive password changes. Adversaries may also use the Microsoft Messaging API (MAPI) to create hidden inbox rules not visible through Outlook, OWA, or standard Exchange administration tools, enabling long-term covert collection. Threat groups including LAPSUS$, Scattered Spider, Kimsuky, Star Blizzard, and Silent Librarian have actively abused this technique. LAPSUS$ notably created tenant-level Exchange transport rules to forward all organizational email to newly created attacker-controlled accounts, achieving org-wide collection with a single rule."
references:
  - https://attack.mitre.org/techniques/T1114/003/
  - https://df00tech.com/detections/T1114.003
author: df00tech
date: 2026/04/18
tags:
  - attack.t1114.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators legitimately configuring mailbox forwarding for departing employees, shared mailboxes, or role-based accounts (e.g., hr@contoso.com forwarding to a team alias)"
  - Email migration or business continuity projects where mailboxes temporarily forward to a backup system or authorized external partner domain
  - Compliance and legal hold transport rules that copy mail to an approved Microsoft Purview or third-party archiving system
  - "Automated helpdesk or ticketing systems (e.g., Zendesk, Freshdesk connectors) that create inbox rules to process and route support email to the correct queue"
  - Authorized SOC or phishing response configurations forwarding reported phishing emails to an analysis mailbox
level: high