Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different recipient. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)
Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1114.003 | Email Forwarding Rule |
| AC-17 | Remote Access | Protects | T1114.003 | Email Forwarding Rule |
| AC-19 | Access Control for Mobile Devices | Protects | T1114.003 | Email Forwarding Rule |
| AC-20 | Use of External Systems | Protects | T1114.003 | Email Forwarding Rule |
| AC-4 | Information Flow Enforcement | Protects | T1114.003 | Email Forwarding Rule |
| SC-7 | Boundary Protection | Protects | T1114.003 | Email Forwarding Rule |
| SI-12 | Information Management and Retention | Protects | T1114.003 | Email Forwarding Rule |
| SI-4 | System Monitoring | Protects | T1114.003 | Email Forwarding Rule |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1114.003 | Email Forwarding Rule |
| azure_sentinel | Azure Sentinel | technique_scores | T1114.003 | Email Forwarding Rule |