LoFP / legitimate usage of the cmdlet to forward emails

Techniques

Sample rules

Suspicious PowerShell Mailbox SMTP Forward Rule

• source: sigma
• technicques:

Description

Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - 'Set-Mailbox '
  - ' -DeliverToMailboxAndForward '
  - ' -ForwardingSmtpAddress '