Query Details

Exchange Online - Email Inbox Manipulation & Forwarding

MDO Inbox Forwarding

Query

OfficeActivity
| where Operation == "Set-HostedOutboundSpamFilterPolicy"
| mv-expand parse_json(Parameters)
| where Parameters.Name == "AutoForwardingMode"
| extend Mode = tostring(Parameters.Value)

About this query

Explanation

The query is used to detect and investigate suspicious email inbox manipulation and forwarding activities in Exchange Online. It provides information on changes to the Exchange Online - Anti-spam outbound policy and sign-ins to Exchange Online with PowerShell. It also includes advanced hunting queries to find new inbox rule events, check common ISPs, countries/regions, and user agents for a user, identify if other users have created forward rules to the same destination, and analyze email forwarding activities.

Details

Alex Verboon profile picture

Alex Verboon

Released: January 28, 2024

Tables

OfficeActivity CloudAppEvents SigninLogs AADNonInteractiveUserSignInLogs EmailEvents EmailUrlInfo EmailAttachmentInfo IdentityLogonEvents

Keywords

Exchange OnlineEmail Inbox ManipulationForwardingMITRE ATT&CKEmail CollectionEmail Forwarding RuleMicrosoft Defender XDROfficeActivityCloudAppEventsSet-HostedOutboundSpamFilterPolicyAutoForwardingModeSigninLogsAADNonInteractiveUserSignInLogsPowerShellAdvanced HuntingSet-MailboxNew-InboxRuleSet-InboxRuleUpdateInboxRulesRawEventDataISPCountryCodeCityUserAgentSuspicious Recipients ListThreat ExplorerEmailEventsSenderDisplayNameSenderFromAddressSenderObjectIdNetworkMessageIdEmailUrlInfoEmailAttachmentInfoForwarderNew-TransportRuleSet-TransportRuleIdentityLogonEventsAccountUpn

Operators

| where| mv-expand| extend| project| union| make-series| count| default| on| step| by| let| now| CloudAppEvents| OfficeActivity| SigninLogs| AADNonInteractiveUserSignInLogs| set-HostedOutboundSpamFilterPolicy| RawEventData| EmailEvents| EmailUrlInfo| EmailAttachmentInfo| IdentityLogonEvents

MITRE Techniques

Actions

GitHub