RULE 04 M365 Exchange Inbox Rule Forward Or Hide
Query
// Rule : M365 - Exchange Online Inbox Rule Created for Forwarding / Hiding
// Severity: High
// Tactics : Collection, Exfiltration, DefenseEvasion
// MITRE : T1114.003 (Email Collection: Email Forwarding Rule),
// T1564.008 (Hide Artifacts: Email Hiding Rules)
// Freq : PT1H Period: PT1H
// Description: Detects creation or modification of Exchange inbox rules that
// forward emails externally, redirect to folders like "RSS Feeds" or
// "Deleted Items", or mark all items as read — classic BEC/exfil tactics.
//==========================================================================================
let LookbackPeriod = 1h;
let SuspiciousFolders = dynamic([
"DeletedItems", "RSS Feeds", "Junk Email", "Deleted Items",
"Sync Issues", "Conversation History"
]);
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeAdmin"
| where Operation in (
"New-InboxRule", "Set-InboxRule", "New-TransportRule",
"Set-TransportRule", "New-MailboxRule")
| extend RuleParams = tostring(Parameters)
| extend
ForwardingEnabled = RuleParams has_any ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo"),
HidingEnabled = RuleParams has_any (SuspiciousFolders),
ExternalDomain = RuleParams has_any (".com", ".net", ".io", ".org"),
MarkAsRead = RuleParams has "MarkAsRead",
DeleteEnabled = RuleParams has "Delete",
ExternalEmailPattern = extract(@"ForwardTo.*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 1, RuleParams)
| where ForwardingEnabled or HidingEnabled or DeleteEnabled
| extend AlertSeverity = case(
ForwardingEnabled and ExternalDomain, "High",
HidingEnabled or DeleteEnabled, "Medium",
"Low")
| project
TimeGenerated,
UserId,
ClientIP,
Operation,
ForwardingEnabled,
HidingEnabled,
MarkAsRead,
DeleteEnabled,
ExternalEmailPattern,
RuleParams,
AlertSeverityExplanation
This query is designed to detect suspicious activities related to the creation or modification of inbox rules in Microsoft Exchange Online, which could indicate potential security threats such as Business Email Compromise (BEC) or data exfiltration. Here's a simplified explanation of what the query does:
-
Time Frame: It looks at activities from the past hour.
-
Suspicious Folders: It defines a list of folders that are considered suspicious if emails are redirected to them, such as "Deleted Items" or "RSS Feeds".
-
Data Source: It examines records from the
OfficeActivitytable where theRecordTypeis "ExchangeAdmin" and the operation involves creating or modifying inbox rules. -
Rule Parameters: It extracts parameters from these operations to check for:
- ForwardingEnabled: Whether the rule forwards emails to another address.
- HidingEnabled: Whether the rule redirects emails to suspicious folders.
- ExternalDomain: Whether the forwarding address is an external domain (e.g., ".com", ".net").
- MarkAsRead: Whether the rule marks emails as read.
- DeleteEnabled: Whether the rule deletes emails.
-
Alert Severity: It assigns a severity level to each detected activity:
- "High" if emails are forwarded to an external domain.
- "Medium" if emails are hidden or deleted.
- "Low" otherwise.
-
Output: It projects relevant details such as the time of the activity, user ID, client IP, operation type, and the severity of the alert.
The goal is to identify potentially malicious configurations of inbox rules that could be used to forward emails to unauthorized parties, hide them, or delete them, which are common tactics in email-based attacks.
