Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)
Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)
In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1114.003 | Email Forwarding Rule | |
| AC-17 | Remote Access | Protects | T1114.003 | Email Forwarding Rule | |
| AC-19 | Access Control for Mobile Devices | Protects | T1114.003 | Email Forwarding Rule | |
| AC-20 | Use of External Systems | Protects | T1114.003 | Email Forwarding Rule | |
| AC-04 | Information Flow Enforcement | Protects | T1114.003 | Email Forwarding Rule | |
| CM-06 | Configuration Settings | Protects | T1114.003 | Email Forwarding Rule | |
| SC-43 | Usage Restrictions | Protects | T1114.003 | Email Forwarding Rule | |
| SC-07 | Boundary Protection | Protects | T1114.003 | Email Forwarding Rule | |
| SI-12 | Information Management and Retention | Protects | T1114.003 | Email Forwarding Rule | |
| SI-04 | System Monitoring | Protects | T1114.003 | Email Forwarding Rule | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1114.003 | Email Forwarding Rule |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1114.003 | Email Forwarding Rule |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Email Forwarding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.
License Requirements:
Microsoft 365 E3 and E5
References
|
| EOP-MFR-E3 | Mail Flow Rules | Technique Scores | T1114.003 | Email Forwarding Rule |
Comments
In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them. Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.
Mail Flow Rules protects from Email Forwarding Rule attacks due to the custom rules feature which allows you to define rules to encrypt email messages which provides an added layer of security to sensitive information sent over email.
License Requirements:
Microsoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1114.003 | Email Forwarding Rule |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1114.003 | Email Forwarding Rule |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1114.003 | Email Forwarding Rule |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|