Office Mail Forwarding - Hunting Version

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains.

Attribute	Value
Type	Hunting Query
Solution	Microsoft 365
ID	d49fc965-aef3-49f6-89ad-10cc4697eb5b
Tactics	Collection, Exfiltration
Techniques	T1114, T1020
Required Connectors	Office365
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
OfficeActivity	ClientIP has "." ClientIP has "[" OfficeWorkload == "Exchange" Parameters contains "ForwardTo" Parameters contains "ForwardingSmtpAddress" Parameters contains "RedirectTo"	✓	✗	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries · Back to Microsoft 365