KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 02 M365 Exchange Inbox Transport Rule Audit 30d

Query

// Hunt    : M365 - Inbox Rule and Transport Rule Audit (30d)
// Purpose : Full audit of all Exchange inbox and transport rules created or modified
//           in the past 30 days, pre-calculated for forwarding, redirect and hiding
//           indicators to support BEC and exfiltration investigations.
// Tables  : OfficeActivity
// Period  : P30D
//==========================================================================================

let LookbackDays = 30d;

OfficeActivity
| where TimeGenerated > ago(LookbackDays)
| where RecordType == "ExchangeAdmin"
| where Operation in (
    "New-InboxRule", "Set-InboxRule", "Remove-InboxRule",
    "New-TransportRule", "Set-TransportRule",
    "Enable-TransportRule", "Disable-TransportRule",
    "Remove-TransportRule", "New-JournalRule")
| extend Params = tostring(Parameters)
| extend
    HasForward      = Params has_any ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo", "RedirectMessageTo"),
    HasHide         = Params has_any ("DeleteMessage", "MoveToFolder", "MarkAsRead"),
    HasBypass       = Params has_any ("ExceptIfSenderDomainIs", "SetHeaderName"),
    ExternalAddress = extract(@"(ForwardTo|RedirectTo|RedirectMessageTo).*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 2, Params),
    FolderTarget    = extract(@"(MoveToFolder).*?:([^\s,]+)", 2, Params)
| project
    TimeGenerated,
    UserId,
    ClientIP,
    Operation,
    HasForward,
    HasHide,
    HasBypass,
    ExternalAddress,
    FolderTarget,
    Params
| sort by TimeGenerated desc

Explanation

This query is designed to audit changes to Exchange inbox and transport rules over the past 30 days. It helps identify potential security issues, such as Business Email Compromise (BEC) or data exfiltration. Here's a simple breakdown:

  1. Time Frame: The query looks at activities from the last 30 days.

  2. Data Source: It uses the OfficeActivity table, focusing on records related to Exchange administration.

  3. Operations Monitored: It filters for specific operations related to inbox and transport rules, such as creating, modifying, or removing these rules.

  4. Indicators: The query checks for certain actions within the rule parameters:

    • Forwarding/Redirecting: Looks for rules that forward or redirect emails.
    • Hiding: Identifies rules that delete, move, or mark emails as read.
    • Bypassing: Detects rules that bypass certain conditions, like sender domain exceptions.

  5. Extracted Information: It extracts email addresses involved in forwarding/redirecting and folder targets for moved emails.

  6. Output: The results include the time of the activity, user ID, client IP, type of operation, and the extracted indicators, sorted by the most recent activity.

This query is useful for security investigations to detect unauthorized or suspicious email rule changes.

Details

David Alonso profile picture

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

OfficeActivity

Operators

letagoinextendtostringhas_anyextractprojectsortwhere

Actions