Multiple users email forwarded to same destination

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.

Attribute	Value
Type	Analytic Rule
Solution	Microsoft 365
ID	871ba14c-88ef-48aa-ad38-810f26760ca3
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	Collection, Exfiltration
Techniques	T1114, T1020
Required Connectors	Office365
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
OfficeActivity	OfficeWorkload == "Exchange"	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft 365