Microsoft 365 Inbox Forwarding Rule Created

Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/03/29"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic", "Gary Blackwell", "Austin Songer"]
 9description = """
10Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
11on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
12abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or
13having the corresponding privileges.
14"""
15false_positives = [
16    """
17    Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company
18    policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior.
19    """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Inbox Forwarding Rule Created"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
31    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
32    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
33    "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf",
34]
35risk_score = 47
36rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78"
37severity = "medium"
38tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:o365.audit and event.provider:Exchange and
44event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and
45    (
46        o365.audit.Parameters.ForwardTo:* or
47        o365.audit.Parameters.ForwardAsAttachmentTo:* or
48        o365.audit.Parameters.RedirectTo:*
49    )
50    and event.outcome:success
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1114"
58name = "Email Collection"
59reference = "https://attack.mitre.org/techniques/T1114/"
60[[rule.threat.technique.subtechnique]]
61id = "T1114.003"
62name = "Email Forwarding Rule"
63reference = "https://attack.mitre.org/techniques/T1114/003/"
64
65
66
67[rule.threat.tactic]
68id = "TA0009"
69name = "Collection"
70reference = "https://attack.mitre.org/tactics/TA0009/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top