EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

O365 Mailbox Email Forwarding Enabled

The following analytic identifies instances where email forwarding has been enabled on mailboxes within an Office 365 environment. It detects this activity by monitoring the Set-Mailbox operation within the o365_management_activity logs, specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress parameters. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.

MITRE ATT&CK

T1114.003

Detection Query

`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name',"ForwardingAddress") | eval match2=mvfind('Parameters{}.Name', "ForwardingSmtpAddress") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress,ForwardingSmtpAddress) | search ForwardTo!="" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by signature dest user src vendor_account vendor_product object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter`

Author

Patrick Bareiss, Mauricio Velazco, Splunk

Created

2026-03-10

References

Tags

Office 365 Collection Techniques
Raw Content
name: O365 Mailbox Email Forwarding Enabled
id: 0b6bc75c-05d1-4101-9fc3-97e706168f24
version: 8
date: '2026-03-10'
author: Patrick Bareiss, Mauricio Velazco, Splunk
data_source: []
type: TTP
status: production
description: The following analytic identifies instances where email forwarding has been enabled on mailboxes within an Office 365 environment. It detects this activity by monitoring the Set-Mailbox operation within the o365_management_activity logs, specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress parameters. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.
search: "`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name',\"ForwardingAddress\") | eval match2=mvfind('Parameters{}.Name', \"ForwardingSmtpAddress\") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress,ForwardingSmtpAddress) | search ForwardTo!=\"\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by signature dest user src vendor_account vendor_product object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter`"
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Email forwarding may be configured for legitimate purposes, filter as needed.
references:
    - https://attack.mitre.org/techniques/T1114/003/
    - https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Email forwarding configured by $user$ on mailbox $ObjectId$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Collection Techniques
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1114.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json
          sourcetype: o365:management:activity
          source: o365