users may create email forwarding rules for legitimate purposes. filter as needed.

Techniques

Sample rules

O365 New Email Forwarding Rule Created

source: splunk
technicques:
- T1114
- T1114.003

Description

The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.

Detection logic

`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) 
| eval match1=mvfind('Parameters{}.Name', "ForwardTo") 
| eval match2=mvfind('Parameters{}.Name', "ForwardAsAttachmentTo") 
| eval match3=mvfind('Parameters{}.Name', "RedirectTo") 
| where match1>= 0 OR match2>= 0 OR match3>= 0 
| eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) 
| stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_new_email_forwarding_rule_created_filter`

O365 New Email Forwarding Rule Enabled

source: splunk
technicques:
- T1114
- T1114.003

Description

The following analytic identifies the creation of new email forwarding rules in an Office 365 environment via the UpdateInboxRules operation. It leverages Office 365 management activity events to detect rules that forward emails to external recipients by examining the OperationProperties for specific forwarding actions. This activity is significant as it may indicate unauthorized email redirection, potentially leading to data exfiltration. If confirmed malicious, attackers could intercept sensitive communications, leading to data breaches and information leakage.

Detection logic

`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules  
| eval match1=mvfind('OperationProperties{}.Value', "ForwardToRecipientsAction") 
| eval match2=mvfind('OperationProperties{}.Value', "ForwardAsAttachmentToRecipientsAction") 
| eval match3=mvfind('OperationProperties{}.Value', "RedirectToRecipientsAction") 
| eval index = mvfind('OperationProperties{}.Name', "ServerRule") 
| where match1>= 0 OR match2>= 0 OR match3>= 0 
| eval ServerRule = mvindex('OperationProperties{}.Value', index-1) 
| spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted 
| mvexpand valueExtracted 
| search valueExtracted="*@*.*" 
| eval ForwardTo=if(match(valueExtracted, "^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, null) 
| dedup ForwardTo 
| where isnotnull(ForwardTo) 
| stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_new_email_forwarding_rule_enabled_filter`