detection.wiki

Email Collection: Email Forwarding Rule T1114.003

Tactic: Collection

Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.

Events covered

1 catalog event is tagged with this technique by at least one rule.

ProviderEventTitle
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 16 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (32 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Operation8eq 6, contains 1, ends_with 1, in 1New-InboxRule, Set-InboxRule, AlertEntityGenerated, Disable-*, New-*
sourcetype6eq 6o365:management:activity
Workload4eq 4Exchange, SecurityComplianceCenter
EventType3in 2, eq 1New-TransportRule, CHANGE_GMAIL_SETTING, CREATE_GMAIL_SETTING, New-InboxRule, Set-InboxRule
match13ge 30
match23ge 30
ForwardTo2is_not_null 1, ne 1
Provider_Name2eq 2Exchange
ScriptBlockText2contains 2deletemessage, forwardasattachmentto, forwardingaddress, forwardingsmtpaddress, markasread
data_stream.dataset2eq 2google_workspace.admin, o365.audit
event.outcome2eq 2success
m365::Parameters2contains 2deletemessage, forwardasattachmentto, forwardingaddress, forwardingsmtpaddress, markasread
match32ge 20
Name1in 1Email sending limit exceeded, Suspicious Email Forwarding Activity, Suspicious email sending patterns detected
Parameters{}.Name1in 1CopyToFolder, DeleteMessage, ForwardAsAttachmentTo

Top indicator values (78 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
sourcetypeeq
o365:management:activity
680
Operationeq
New-InboxRule
35
Operationeq
Set-InboxRule
22
Operationeq
AlertEntityGenerated
14
Operationeq
Set-Mailbox
1
Workloadeq
Exchange
320
match1ge
0
34
match2ge
0
34
Provider_Nameeq
Exchange
219
ScriptBlockTextcontains
new-inboxrule
22
ScriptBlockTextcontains
set-inboxrule
22
event.outcomeeq
success
2251
match3ge
0
23
EventTypeeq
New-TransportRule
1
EventTypein
CHANGE_GMAIL_SETTING
1
EventTypein
CREATE_GMAIL_SETTING
1
EventTypein
New-InboxRule
13
EventTypein
New-TransportRule
1
EventTypein
Set-InboxRule
13
EventTypein
Set-Mailbox
1
EventTypein
Set-TransportRule
1
Namein
Email sending limit exceeded
1
Namein
Suspicious Email Forwarding Activity
1
Namein
Suspicious email sending patterns detected
1
Namein
User restricted from sending email
1
Operationcontains
new-inboxrule
1
Operationcontains
set-inboxrule
1
Operationcontains
set-mailbox
1
Operationcontains
updateinboxrules
1
Operationends_with
transportrule
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 6 rules

Elastic 3 rules

Splunk 6 rules

Panther 1 rule