Suspicious Inbox Forwarding Identity Protection

Oct 28, 2023 · attack.t1140 attack.defense_evasion ·

Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address

Sigma rule (View on GitHub)

 1title: Suspicious Inbox Forwarding Identity Protection
 2id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
 3status: experimental
 4description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
 5references:
 6    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
 7    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 9date: 2023/09/03
10tags:
11    - attack.t1140
12    - attack.defense_evasion
13logsource:
14    product: azure
15    service: riskdetection
16detection:
17    selection:
18        riskEventType: 'suspiciousInboxForwarding'
19    condition: selection
20falsepositives:
21    - A legitimate forwarding rule.
22level: high

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Explaining risk in Microsoft Entra ID Protection

Read More
Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Suspicious Inbox Forwarding Identity Protection

Sigma rule (View on GitHub)

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules