KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 04 M365 Exchange Inbox Rule Forward Or Hide

Query

// Rule    : M365 - Exchange Online Inbox Rule Created for Forwarding / Hiding
// Severity: High
// Tactics : Collection, Exfiltration, DefenseEvasion
// MITRE   : T1114.003 (Email Collection: Email Forwarding Rule),
//           T1564.008 (Hide Artifacts: Email Hiding Rules)
// Freq    : PT1H   Period: PT1H
// Description: Detects creation or modification of Exchange inbox rules that
//              forward emails externally, redirect to folders like "RSS Feeds" or
//              "Deleted Items", or mark all items as read — classic BEC/exfil tactics.
//==========================================================================================

let LookbackPeriod = 1h;
let SuspiciousFolders = dynamic([
    "DeletedItems", "RSS Feeds", "Junk Email", "Deleted Items",
    "Sync Issues", "Conversation History"
]);

OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeAdmin"
| where Operation in (
    "New-InboxRule", "Set-InboxRule", "New-TransportRule",
    "Set-TransportRule", "New-MailboxRule")
| extend RuleParams = tostring(Parameters)
| extend
    ForwardingEnabled      = RuleParams has_any ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo"),
    HidingEnabled          = RuleParams has_any (SuspiciousFolders),
    ExternalDomain         = RuleParams has_any (".com", ".net", ".io", ".org"),
    MarkAsRead             = RuleParams has "MarkAsRead",
    DeleteEnabled          = RuleParams has "Delete",
    ExternalEmailPattern   = extract(@"ForwardTo.*?([a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,})", 1, RuleParams)
| where ForwardingEnabled or HidingEnabled or DeleteEnabled
| extend AlertSeverity = case(
    ForwardingEnabled and ExternalDomain, "High",
    HidingEnabled or DeleteEnabled,       "Medium",
    "Low")
| project
    TimeGenerated,
    UserId,
    ClientIP,
    Operation,
    ForwardingEnabled,
    HidingEnabled,
    MarkAsRead,
    DeleteEnabled,
    ExternalEmailPattern,
    RuleParams,
    AlertSeverity

Explanation

This query is designed to detect suspicious activities related to the creation or modification of inbox rules in Microsoft Exchange Online, which could indicate potential security threats such as Business Email Compromise (BEC) or data exfiltration. Here's a simplified explanation of what the query does:

  1. Time Frame: It looks at activities from the past hour.

  2. Suspicious Folders: It defines a list of folders that are considered suspicious if emails are redirected to them, such as "Deleted Items" or "RSS Feeds".

  3. Data Source: It examines records from the OfficeActivity table where the RecordType is "ExchangeAdmin" and the operation involves creating or modifying inbox rules.

  4. Rule Parameters: It extracts parameters from these operations to check for:

    • ForwardingEnabled: Whether the rule forwards emails to another address.
    • HidingEnabled: Whether the rule redirects emails to suspicious folders.
    • ExternalDomain: Whether the forwarding address is an external domain (e.g., ".com", ".net").
    • MarkAsRead: Whether the rule marks emails as read.
    • DeleteEnabled: Whether the rule deletes emails.

  5. Alert Severity: It assigns a severity level to each detected activity:

    • "High" if emails are forwarded to an external domain.
    • "Medium" if emails are hidden or deleted.
    • "Low" otherwise.

  6. Output: It projects relevant details such as the time of the activity, user ID, client IP, operation type, and the severity of the alert.

The goal is to identify potentially malicious configurations of inbox rules that could be used to forward emails to unauthorized parties, hide them, or delete them, which are common tactics in email-based attacks.

Details

David Alonso profile picture

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

OfficeActivity

Operators

letdynamicagoinextendtostringhas_anyhasextractcaseprojectwhere

Actions