Inbox rule changes which forward-redirect email

Hunt Hypothesis

Adversaries may modify inbox rules to forward or redirect emails as part of credential harvesting or exfiltration efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential email-based attacks that bypass traditional detection mechanisms.

KQL Query

CloudAppEvents
| where ActionType contains "Set-InboxRule"
|extend Parameters = tostring((parse_json(RawEventData)).Parameters)
|where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"

Analytic Rule Definition

id: 54569b06-47fc-41ae-9b00-f7d9b61337b6
name: Inbox rule changes which forward-redirect email
description: |
  This query helps hunting for Inbox rule changes which forward-redirect email
description-detailed: |
  This query helps hunting for Inbox rule changes which forward-redirect email
  Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - Persistence
relevantTechniques:
  - T1098
query: |
  CloudAppEvents
  | where ActionType contains "Set-InboxRule"
  |extend Parameters = tostring((parse_json(RawEventData)).Parameters)
  |where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: Persistence
• Technique: T1098 — T1098

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Hunting/Inbox rule change which forward-redirect email.yaml)

False Positive Guidance

• Scenario: Scheduled Email Archiving Job
  Description: A legitimate scheduled job runs to archive old emails to a cloud storage service, which may involve moving or redirecting emails.
  Filter/Exclusion: Exclude events where the rule action is associated with a known archiving tool (e.g., Microsoft Exchange Archiving, Google Vault) or where the action is part of a scheduled job (e.g., JobName contains “Archive” or “Retention”).

• Scenario: User-Initiated Email Forwarding Rule
  Description: A user creates a personal rule to forward emails to a personal account or another internal team, which may trigger the rule due to the forwarding action.
  Filter/Exclusion: Exclude events where the rule is created by a user (e.g., CreatedBy is a user account) and where the destination is a known personal email address or external domain.

• Scenario: System-Wide Email Redirect for Compliance
  Description: An admin configures a system-wide rule to redirect all emails to a compliance mailbox for review, which may be flagged as suspicious.
  Filter/Exclusion: Exclude events where the rule is applied at the organization level (e.g., RuleScope is “Organization”) and where the destination is a compliance mailbox (e.g., Destination contains “Compliance” or “Legal”).

• Scenario: Third-Party Integration for Email Processing
  Description: A third-party service (e.g., Salesforce, HubSpot) integrates with the email system to process incoming emails, which may involve redirecting or forwarding emails.
  Filter/Exclusion: Exclude events where the rule is initiated by a third-party application (e.g., SourceApplication is “Salesforce” or “HubSpot”) or where the action is part of an integration workflow.

• Scenario: Email Forwarding for Team Collaboration
  *