Inbox Rules Audit (Mailbox Forwarding)
Location
Unified Audit Log (Operations: New-InboxRule, Set-InboxRule, UpdateInboxRules)Description
Audit events specifically tracking creation and modification of Exchange Online inbox rules, including server-side forwarding (Set-Mailbox -ForwardingSmtpAddress) and client-side rules that move, delete, or redirect messages.
Forensic Value
Inbox rule manipulation is the hallmark of BEC attacks. Adversaries create rules to forward copies of all incoming email to an external address, or to auto-delete replies so the victim does not notice ongoing impersonation. Searching for New-InboxRule operations with ForwardTo, RedirectTo, or DeleteMessage actions across all mailboxes in the tenant identifies every compromised mailbox with active exfiltration rules.
Tools Required
Used in Procedures
Related Blockers
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Unknown Scope of Credential Compromise
One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.
Attacker Using VPN/Tor -- Cannot Determine True Origin
The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.
Suspected Insider Still Has Access -- Investigation Must Be Covert
The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.
Regulatory Notification Deadline Approaching
A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.
M365/Azure Logs Past Retention Period
Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.
Shared Cloud Environment Complicates Isolation
The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.