Multiple users email forwarded to same destination

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.

Attribute Value
Type Hunting Query
Solution Microsoft 365
ID a1551ae4-f61c-4bca-9c57-4d0d681db2e9
Severity Medium
Status Available
Kind Scheduled
Tactics Collection, Exfiltration
Techniques T1114, T1020
Required Connectors Office365
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
OfficeActivity OfficeWorkload == "Exchange" ?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Hunting Queries · Back to Microsoft 365