M365 Exchange Inbox Forwarding Rule Creation
Detection of new Microsoft 365 Exchange inbox forwarding rules indicating potential unauthorized email interception and exfiltration by attackers.
Attackers can exploit Microsoft 365 Exchange inbox rules to intercept and exfiltrate email data. The abuse involves creating forwarding rules that redirect emails to external, attacker-controlled addresses without proper authorization. This technique allows attackers to gain access to sensitive information without making organization-wide configuration changes or needing elevated privileges. The detection focuses on successful creation or modification events of inbox rules where forwarding parameters are set to external domains, as specified in the o365.audit.Parameters field. The scope includes any Microsoft 365 environment utilizing Exchange Online, providing a mechanism to detect and respond to potential business email compromise (BEC) attempts.
Attack Chain
- Initial Access: An attacker gains access to a legitimate user's Microsoft 365 account, potentially through phishing or credential compromise.
- Rule Creation/Modification: The attacker creates or modifies an inbox rule within the user's Exchange Online mailbox using
New-InboxRuleorSet-InboxRule. - Forwarding Configuration: The rule is configured to forward emails based on specific criteria (e.g., all emails, emails from specific senders) to an external email address via
ForwardTo,ForwardAsAttachmentTo,ForwardingAddress,ForwardingSmtpAddress, orRedirectTo. - Persistence: The inbox rule remains active, automatically forwarding emails that meet the defined criteria to the attacker's address.
- Data Exfiltration: Sensitive information is continuously exfiltrated as emails are forwarded to the external address.
- Covert Operation: The attacker may delete or hide the rule to avoid detection, although this detection focuses on the initial creation.
Impact
Successful exploitation can lead to significant data breaches, loss of sensitive information, and financial losses due to business email compromise. The impact can range from individual data leaks to compromise of intellectual property and confidential business communications. Without detection, attackers can maintain persistent access to sensitive email data, potentially impacting hundreds or thousands of mailboxes.
Recommendation
- Deploy the Sigma rule "M365 Exchange Inbox Forwarding Rule Created" to your SIEM and tune for your environment to detect the creation of suspicious inbox rules.
- Investigate any alerts generated by the Sigma rule by reviewing the
o365.audit.Parametersin the logs, focusing on the forwarding email addresses. - Review and update email security policies to restrict and monitor the creation of forwarding rules, as mentioned in the references.
- Enable multi-factor authentication (MFA) for all users to prevent unauthorized account access, reducing the risk of inbox rule manipulation.
Detection coverage 2
M365 Exchange Inbox Forwarding Rule Created
mediumDetects the creation or modification of Exchange inbox rules that forward emails to external domains.
M365 Exchange Inbox Rule Modification to External Address
mediumDetects modifications to existing Exchange inbox rules to forward emails to external domains.
Detection queries are available on the platform. Get full rules →