Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

New Email Forwarding Rule Detected [RULE-1020]

This rule detects when a new mailbox rule is created in Exchange Online that forwards email to an external address. When such a rule is created, it may indicate that an attacker has gained access to a mailbox and is attempting to exfiltrate email data by forwarding messages to an address outside the organization.

Rationale

Email forwarding rules are one of the most common persistence and data exfiltration techniques used by attackers after compromising a mailbox. This technique is mapped to MITRE ATT&CK as T1114.003 (Email Collection: Email Forwarding Rule) and T1020 (Automated Exfiltration).

After gaining access to a user's mailbox - often through phishing or credential theft - attackers frequently create inbox rules that silently forward all incoming emails (or emails matching certain criteria) to an external address they control. This allows the attacker to continue receiving copies of the victim's emails even after the initial compromise is remediated, such as when passwords are changed.

This technique is especially prevalent in Business Email Compromise (BEC) and CEO fraud attacks. Attackers use the forwarded emails to gather intelligence about financial transactions, intercept invoices, and impersonate trusted parties in order to redirect payments to attacker-controlled bank accounts. Detecting these forwarding rules early is critical to preventing financial loss and data leakage.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify with the mailbox owner whether the forwarding rule was intentionally created. Check who created the rule and which external address it forwards to.

    • If no: The forwarding rule was not intentionally created and may be malicious:

      1. Immediately remove or disable the forwarding rule from the mailbox.
      2. Reset the password of the affected account and revoke all active sessions via Microsoft Entra ID.
      3. Check the sign-in logs for suspicious login activity on the affected account. Review additional mailbox rules and recent email activity for further signs of compromise.
      4. Consider engaging Attic for a full incident response investigation to determine the scope of the compromise.

    • If yes: The forwarding rule was intentionally created by the user:

      1. Verify that forwarding email to an external address is permitted under your organization's security policy.
      2. If acceptable: document the exception and close the incident.

More information