Skip to content
Threat Feed
medium advisory

M365 Exchange Inbox Forwarding Rule Creation

Detection of new Microsoft 365 Exchange inbox forwarding rules indicating potential unauthorized email interception and exfiltration by attackers.

Attackers can exploit Microsoft 365 Exchange inbox rules to intercept and exfiltrate email data. The abuse involves creating forwarding rules that redirect emails to external, attacker-controlled addresses without proper authorization. This technique allows attackers to gain access to sensitive information without making organization-wide configuration changes or needing elevated privileges. The detection focuses on successful creation or modification events of inbox rules where forwarding parameters are set to external domains, as specified in the o365.audit.Parameters field. The scope includes any Microsoft 365 environment utilizing Exchange Online, providing a mechanism to detect and respond to potential business email compromise (BEC) attempts.

Attack Chain

  1. Initial Access: An attacker gains access to a legitimate user's Microsoft 365 account, potentially through phishing or credential compromise.
  2. Rule Creation/Modification: The attacker creates or modifies an inbox rule within the user's Exchange Online mailbox using New-InboxRule or Set-InboxRule.
  3. Forwarding Configuration: The rule is configured to forward emails based on specific criteria (e.g., all emails, emails from specific senders) to an external email address via ForwardTo, ForwardAsAttachmentTo, ForwardingAddress, ForwardingSmtpAddress, or RedirectTo.
  4. Persistence: The inbox rule remains active, automatically forwarding emails that meet the defined criteria to the attacker's address.
  5. Data Exfiltration: Sensitive information is continuously exfiltrated as emails are forwarded to the external address.
  6. Covert Operation: The attacker may delete or hide the rule to avoid detection, although this detection focuses on the initial creation.

Impact

Successful exploitation can lead to significant data breaches, loss of sensitive information, and financial losses due to business email compromise. The impact can range from individual data leaks to compromise of intellectual property and confidential business communications. Without detection, attackers can maintain persistent access to sensitive email data, potentially impacting hundreds or thousands of mailboxes.

Recommendation

  • Deploy the Sigma rule "M365 Exchange Inbox Forwarding Rule Created" to your SIEM and tune for your environment to detect the creation of suspicious inbox rules.
  • Investigate any alerts generated by the Sigma rule by reviewing the o365.audit.Parameters in the logs, focusing on the forwarding email addresses.
  • Review and update email security policies to restrict and monitor the creation of forwarding rules, as mentioned in the references.
  • Enable multi-factor authentication (MFA) for all users to prevent unauthorized account access, reducing the risk of inbox rule manipulation.

Detection coverage 2

M365 Exchange Inbox Forwarding Rule Created

medium

Detects the creation or modification of Exchange inbox rules that forward emails to external domains.

sigma tactics: collection techniques: T1114.003 sources: web, o365

M365 Exchange Inbox Rule Modification to External Address

medium

Detects modifications to existing Exchange inbox rules to forward emails to external domains.

sigma tactics: collection techniques: T1114.003 sources: web, o365

Detection queries are available on the platform. Get full rules →