{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/configuration_audit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365"],"_cs_severities":["medium"],"_cs_tags":["cloud","saas","email","microsoft_365","configuration_audit","email_collection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can abuse Microsoft 365 Exchange inbox rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. This involves creating or modifying inbox rules to forward emails to externally controlled accounts. The detection rule focuses on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities. This activity is particularly concerning as it allows attackers to maintain persistence and access sensitive information without direct compromise of user credentials, blending in with legitimate administrative functions. A recent AI-enabled device code phishing campaign in April 2026 further highlights the importance of monitoring Exchange configurations for malicious rule creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a user\u0026rsquo;s M365 account, possibly through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if needed): The attacker may attempt to escalate privileges within the compromised account or lateral movement to an account with appropriate permissions.\u003c/li\u003e\n\u003cli\u003eRule Creation/Modification: The attacker uses Exchange PowerShell cmdlets like \u003ccode\u003eNew-InboxRule\u003c/code\u003e, \u003ccode\u003eSet-InboxRule\u003c/code\u003e, \u003ccode\u003eSet-Mailbox\u003c/code\u003e, \u003ccode\u003eSet-TransportRule\u003c/code\u003e, or \u003ccode\u003eNew-TransportRule\u003c/code\u003e to create a new inbox rule or modify an existing one.\u003c/li\u003e\n\u003cli\u003eForwarding Configuration: The attacker configures the inbox rule to forward emails based on specific conditions to an external email address they control, using parameters such as \u003ccode\u003eForwardTo\u003c/code\u003e, \u003ccode\u003eForwardAsAttachmentTo\u003c/code\u003e, or \u003ccode\u003eRedirectTo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eData Collection: Emails that meet the defined conditions are automatically forwarded to the attacker\u0026rsquo;s external email address.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker collects sensitive information from the forwarded emails.\u003c/li\u003e\n\u003cli\u003ePersistence: The inbox rule remains active, providing ongoing access to email data as it arrives in the user\u0026rsquo;s mailbox.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive company information, including confidential documents, financial data, and customer information. This can result in financial loss, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the scope of the compromised accounts and the sensitivity of the data being forwarded.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect M365 Exchange Inbox Rule Created to External Domain\u003c/code\u003e to your SIEM and tune for your environment to identify suspicious forwarding rules.\u003c/li\u003e\n\u003cli\u003eReview the Microsoft 365 audit logs for events related to \u003ccode\u003eNew-InboxRule\u003c/code\u003e, \u003ccode\u003eSet-InboxRule\u003c/code\u003e, \u003ccode\u003eSet-Mailbox\u003c/code\u003e, \u003ccode\u003eSet-TransportRule\u003c/code\u003e, and \u003ccode\u003eNew-TransportRule\u003c/code\u003e where the forwarding address is external to the organization, as outlined in the rule description.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to reduce the risk of initial access via compromised credentials.\u003c/li\u003e\n\u003cli\u003eRegularly review and update email security policies to prevent unauthorized forwarding rules, as mentioned in the references.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to improve detection of malicious PowerShell activity, and investigate related detections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T13:29:13Z","date_published":"2026-05-29T13:29:13Z","id":"https://feed.craftedsignal.io/briefs/2026-05-m365-exchange-inbox-rule/","summary":"This rule detects the creation of new inbox forwarding rules in Microsoft 365, which can be abused by attackers to intercept and exfiltrate email data to external addresses.","title":"M365 Exchange Inbox Forwarding Rule Created","url":"https://feed.craftedsignal.io/briefs/2026-05-m365-exchange-inbox-rule/"}],"language":"en","title":"CraftedSignal Threat Feed — Configuration_audit","version":"https://jsonfeed.org/version/1.1"}