EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Mail Forwarding/Redirecting Activity In O365

Detects email forwarding or redirecting activity in O365 Audit logs.

MITRE ATT&CK

T1114.003T1564.008T1020
collectiondefense-evasionexfiltration

Detection Query

selection_updateinbox:
  Operation|contains: UpdateInboxRules
  OperationProperties|contains:
    - Forward
    - Recipients
selection_setmailbox:
  Operation|contains: Set-Mailbox
  Parameters|contains:
    - ForwardingSmtpAddress
    - ForwardingAddress
selection_setinbox:
  Operation|contains:
    - New-InboxRule
    - Set-InboxRule
  Parameters|contains:
    - ForwardAsAttachmentTo
    - ForwardingAddress
    - ForwardingSmtpAddress
    - ForwardTo
    - RedirectTo
    - RedirectToRecipients
condition: 1 of selection_*

Author

RedCanary Team (idea), Harjot Singh @cyb3rjy0t

Created

2023-10-11

Data Sources

m365audit

Platforms

m365

References

Tags

attack.collectionattack.t1114.003attack.defense-evasionattack.t1564.008attack.exfiltrationattack.t1020detection.threat-hunting
Raw Content
title: Mail Forwarding/Redirecting Activity In O365
id: c726e007-2cd0-4a55-abfb-79730fbedee5
status: test
description: Detects email forwarding or redirecting activity in O365 Audit logs.
references:
    - https://redcanary.com/blog/email-forwarding-rules/
    - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t
date: 2023-10-11
modified: 2024-11-17
tags:
    - attack.collection
    - attack.t1114.003
    - attack.defense-evasion
    - attack.t1564.008
    - attack.exfiltration
    - attack.t1020
    - detection.threat-hunting
logsource:
    service: audit
    product: m365
    definition: "Requirements: The 'OperationProperties' and 'Parameters' fields are a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search"
detection:
    # Note: Might require seperation in the future when enough data is gatherd
    selection_updateinbox:
        Operation|contains: 'UpdateInboxRules'
        OperationProperties|contains:
            - 'Forward'
            - 'Recipients'
    selection_setmailbox:
        Operation|contains: 'Set-Mailbox'
        Parameters|contains:
            - 'ForwardingSmtpAddress'
            - 'ForwardingAddress'
    selection_setinbox:
        Operation|contains:
            - 'New-InboxRule'
            - 'Set-InboxRule'
        Parameters|contains:
            - 'ForwardAsAttachmentTo'
            - 'ForwardingAddress'
            - 'ForwardingSmtpAddress'
            - 'ForwardTo'
            - 'RedirectTo'
            - 'RedirectToRecipients'
    condition: 1 of selection_*
falsepositives:
    - False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule.
level: medium