Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Mailbox External Forwarding Detected [RULE-1023]

This rule detects when a mailbox in Exchange Online is configured to automatically forward all email to an external address using the mailbox-level forwarding setting (ForwardingSmtpAddress). Unlike individual inbox rules, this setting forwards every single email received by the mailbox to an external recipient, making it a highly effective data exfiltration method.

Rationale

Mailbox-level forwarding is distinct from inbox rules because it operates at the transport level and forwards all mail unconditionally. This technique is mapped to MITRE ATT&CK as T1114.003 (Email Collection: Email Forwarding Rule) and T1020 (Automated Exfiltration).

When an attacker compromises a mailbox, setting the ForwardingSmtpAddress property is one of the most efficient ways to ensure continuous access to the victim's email communications. Because this setting applies to all incoming mail without exception, the attacker receives a complete copy of every email - including sensitive business communications, password reset links, multi-factor authentication codes, and confidential documents.

This technique is particularly dangerous because it is less visible than inbox rules. Users typically do not check their mailbox forwarding settings, and the forwarded emails do not appear in the user's Sent Items folder. The setting persists even after a password change, making it a reliable persistence mechanism for attackers conducting BEC/CEO fraud campaigns. If the person who modified the forwarding setting is someone other than the mailbox owner, this is a strong indicator of account compromise.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify who modified the mailbox forwarding setting and whether the mailbox owner is aware that all their email is being forwarded externally. Check whether the person who made the change is the same as the mailbox owner.

    • If no: The forwarding was not intentionally configured and is likely malicious:

      1. Immediately remove the external forwarding address from the mailbox settings (clear the ForwardingSmtpAddress property).
      2. Reset the password of the affected account and revoke all active sessions via Microsoft Entra ID.
      3. Investigate sign-in logs to determine when and how the account was compromised. Review the Unified Audit Log for other suspicious changes made by the attacker.
      4. If the modification was made by someone other than the mailbox owner, consider engaging Attic for a full incident response investigation.

    • If yes: The forwarding was intentionally configured by the mailbox owner:

      1. Verify that forwarding all email to an external address is permitted under your organization's security policy.
      2. If acceptable: document the exception and close the incident.

More information