1. Home
  2. Detection Strategies
  3. Email Forwarding Rule Abuse Detection Across Platforms

Email Forwarding Rule Abuse Detection Across Platforms

Technique Detected:  Email Forwarding Rule | T1114.003

ID: DET0576
Domains: Enterprise
Analytics: AN1589, AN1590, AN1591, AN1592
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1589

Creation of inbox rules via PowerShell (New-InboxRule) or transport rules using Exchange cmdlets. Correlates user behavior, cmdlet usage, and rule properties.

Log Sources
Data Component Name Channel
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4104
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Cloud Service Metadata (DC0070) m365:exchange Cmdlet - New-InboxRule
Mutable Elements
Field Description
UserContext Certain service accounts or admin contexts may be expected to run these rules.
TimeWindow Correlate between rule creation and follow-on message forwarding within this timeframe.
TargetMailbox Whitelisted or trusted destination addresses may be tuned per org policy.

AN1590

Creation or modification of Apple Mail rules by accessing plist files or GUI automation (AppleScript).

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log stream --predicate
File Modification (DC0061) fs:plist_monitoring /Users/*/Library/Mail/V*/MailData/RulesActiveState.plist
Mutable Elements
Field Description
RuleFilePath Different Mail versions store rules in slightly different locations.
ScriptTrigger AppleScript usage for GUI automation may be common in automation workflows.

AN1591

Creation of email forwarding/redirect rules in Exchange Online via New-InboxRule or transport rule cmdlets, including auto-forwarding address field usage.

Log Sources
Data Component Name Channel
Cloud Service Metadata (DC0070) m365:unified New-InboxRule, Set-InboxRule
Application Log Content (DC0038) m365:messagetrace X-MS-Exchange-Organization-AutoForwarded
Mutable Elements
Field Description
ForwardingSMTPAddress Destination domain may vary; commonly tuned per org policies.
ActorId Differentiate service/admin users vs standard user population.

AN1592

Modification of Thunderbird message filters file or execution of CLI tools (e.g., formail/procmail) that alter .forward behavior.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL write
Command Execution (DC0064) linux:cli /home/*/.bash_history
Mutable Elements
Field Description
.forwardPath User-based home directories; tune for specific user patterns.
ExecContext Expected email client behavior may trigger similar file edits.