Query Details
Email Forwarding
Query
//Email forwarding OfficeActivity | where OfficeWorkload == "Exchange" | where Operation == "Set-Mailbox" | extend Name_ = tostring(parse_json(Parameters)[2].Name) | where Name_ == "DeliverToMailboxAndForward" | extend ForwardingSMTP_Value_ = tostring(parse_json(Parameters)[1].Value) | where ForwardingSMTP_Value_ != "" | project TimeGenerated, ForwardingSMTP_Value_, Name_, UserId
Explanation
This query is looking for instances of email forwarding in the OfficeActivity logs. It filters for Exchange workload and the "Set-Mailbox" operation. It then extracts the name of the mailbox and checks if it has the "DeliverToMailboxAndForward" setting enabled. If it is enabled, it extracts the email address it is forwarding to. Finally, it projects the time, forwarding email address, mailbox name, and user ID.
Details
Rod Trent
Released: July 13, 2021
Tables
OfficeActivity
Keywords
OfficeActivity,Exchange,Set-Mailbox,DeliverToMailboxAndForward,ForwardingSMTP_Value,TimeGenerated,Name,UserId
Operators
| where| extend| tostring| parse_json| project