Microsoft 365 Inbox Forwarding Rule Created
Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/29"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic", "Gary Blackwell", "Austin Songer"]
11description = """
12Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
13on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
14abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or
15having the corresponding privileges.
16"""
17false_positives = [
18 """
19 Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company
20 policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior.
21 """,
22]
23from = "now-30m"
24index = ["filebeat-*", "logs-o365*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Microsoft 365 Inbox Forwarding Rule Created"
28note = """## Setup
29
30The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
33 "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
34 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
35 "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf",
36]
37risk_score = 47
38rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78"
39severity = "medium"
40tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:o365.audit and event.provider:Exchange and
46event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and
47 (
48 o365.audit.Parameters.ForwardTo:* or
49 o365.audit.Parameters.ForwardAsAttachmentTo:* or
50 o365.audit.Parameters.RedirectTo:*
51 )
52 and event.outcome:success
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1114"
60name = "Email Collection"
61reference = "https://attack.mitre.org/techniques/T1114/"
62[[rule.threat.technique.subtechnique]]
63id = "T1114.003"
64name = "Email Forwarding Rule"
65reference = "https://attack.mitre.org/techniques/T1114/003/"
66
67
68
69[rule.threat.tactic]
70id = "TA0009"
71name = "Collection"
72reference = "https://attack.mitre.org/tactics/TA0009/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification