M365 Exchange Inbox Forwarding Rule Created

Attackers can abuse Microsoft 365 Exchange inbox rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. This involves creating or modifying inbox rules to forward emails to externally controlled accounts. The detection rule focuses on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities. This activity is particularly concerning as it allows attackers to maintain persistence and access sensitive information without direct compromise of user credentials, blending in with legitimate administrative functions. A recent AI-enabled device code phishing campaign in April 2026 further highlights the importance of monitoring Exchange configurations for malicious rule creation.

Attack Chain

1. Initial Access: An attacker gains initial access to a user’s M365 account, possibly through phishing or credential stuffing.
2. Privilege Escalation (if needed): The attacker may attempt to escalate privileges within the compromised account or lateral movement to an account with appropriate permissions.
3. Rule Creation/Modification: The attacker uses Exchange PowerShell cmdlets like New-InboxRule, Set-InboxRule, Set-Mailbox, Set-TransportRule, or New-TransportRule to create a new inbox rule or modify an existing one.
4. Forwarding Configuration: The attacker configures the inbox rule to forward emails based on specific conditions to an external email address they control, using parameters such as ForwardTo, ForwardAsAttachmentTo, or RedirectTo.
5. Data Collection: Emails that meet the defined conditions are automatically forwarded to the attacker’s external email address.
6. Data Exfiltration: The attacker collects sensitive information from the forwarded emails.
7. Persistence: The inbox rule remains active, providing ongoing access to email data as it arrives in the user’s mailbox.

Impact

Successful exploitation can lead to the exfiltration of sensitive company information, including confidential documents, financial data, and customer information. This can result in financial loss, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the scope of the compromised accounts and the sensitivity of the data being forwarded.

Recommendation

• Deploy the Sigma rule Detect M365 Exchange Inbox Rule Created to External Domain to your SIEM and tune for your environment to identify suspicious forwarding rules.
• Review the Microsoft 365 audit logs for events related to New-InboxRule, Set-InboxRule, Set-Mailbox, Set-TransportRule, and New-TransportRule where the forwarding address is external to the organization, as outlined in the rule description.
• Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of initial access via compromised credentials.
• Regularly review and update email security policies to prevent unauthorized forwarding rules, as mentioned in the references.
• Enable Sysmon process-creation logging to improve detection of malicious PowerShell activity, and investigate related detections.