Exchange Online - Email Inbox Manipulation & Forwarding
MDO Inbox Forwarding
Query
OfficeActivity
| where Operation == "Set-HostedOutboundSpamFilterPolicy"
| mv-expand parse_json(Parameters)
| where Parameters.Name == "AutoForwardingMode"
| extend Mode = tostring(Parameters.Value)About this query
Explanation
The query is used to detect and investigate suspicious email inbox manipulation and forwarding activities in Exchange Online. It provides information on changes to the Exchange Online - Anti-spam outbound policy and sign-ins to Exchange Online with PowerShell. It also includes advanced hunting queries to find new inbox rule events, check common ISPs, countries/regions, and user agents for a user, identify if other users have created forward rules to the same destination, and analyze email forwarding activities.
Details

Alex Verboon
Released: January 28, 2024
Tables
OfficeActivity
CloudAppEvents
SigninLogs
AADNonInteractiveUserSignInLogs
EmailEvents
EmailUrlInfo
EmailAttachmentInfo
IdentityLogonEvents
Keywords
Exchange OnlineEmail Inbox ManipulationForwardingMITRE ATT&CKEmail CollectionEmail Forwarding RuleMicrosoft Defender XDROfficeActivityCloudAppEventsSet-HostedOutboundSpamFilterPolicyAutoForwardingModeSigninLogsAADNonInteractiveUserSignInLogsPowerShellAdvanced HuntingSet-MailboxNew-InboxRuleSet-InboxRuleUpdateInboxRulesRawEventDataISPCountryCodeCityUserAgentSuspicious Recipients ListThreat ExplorerEmailEventsSenderDisplayNameSenderFromAddressSenderObjectIdNetworkMessageIdEmailUrlInfoEmailAttachmentInfoForwarderNew-TransportRuleSet-TransportRuleIdentityLogonEventsAccountUpn
Operators
| where| mv-expand| extend| project| union| make-series| count| default| on| step| by| let| now| CloudAppEvents| OfficeActivity| SigninLogs| AADNonInteractiveUserSignInLogs| set-HostedOutboundSpamFilterPolicy| RawEventData| EmailEvents| EmailUrlInfo| EmailAttachmentInfo| IdentityLogonEvents