Investigate Mailbox Rule Modifications

AnalysisP245 min

📧 Business Email Compromise ☁️ Cloud & Identity Compromise 🎣 Phishing

IR AnalystSwitch roles in the top navigation to see different perspectives.

Examine all mailbox rules, delegates, and forwarding configurations for evidence of attacker persistence. BEC actors commonly create inbox rules to hide security alerts, forward emails to external addresses, or redirect replies to spoofed domains.

Actions

1.Enumerate all inbox rules for compromised mailboxes: `Get-InboxRule -Mailbox [email protected] | Select Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage, MoveToFolder | Format-List`.
2.Check for mailbox forwarding and delegates: `Get-Mailbox -Identity compromised_user | Select ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxAndForward` and `Get-MailboxPermission -Identity compromised_user | Where-Object { $_.IsInherited -eq $false }`.
3.Search for rules that delete or move security notifications: look for rules with conditions matching "security","alert","password","suspicious","MFA" that move to Deleted Items or RSS Feeds folder.
4.Review mail transport rules at the organization level for attacker modifications: `Get-TransportRule | Where-Object { $_.WhenChanged -ge T_START } | Select Name, State, Priority, SentTo, RedirectMessageTo`.
5.Check for mailbox audit bypass configuration: `Get-MailboxAuditBypassAssociation | Select Name, AuditBypassEnabled` -- attackers may disable auditing on compromised mailboxes.

Queries

OfficeActivity | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Operation in ("New-InboxRule","Set-InboxRule","Enable-InboxRule","UpdateInboxRules","Set-Mailbox","Set-TransportRule","New-TransportRule") | project TimeGenerated, UserId, Operation, Parameters, ClientIP | order by TimeGenerated asc

CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("Set-InboxRule","New-InboxRule","Set-Mailbox") | extend RuleDetails=tostring(RawEventData) | where RuleDetails has_any ("ForwardTo","RedirectTo","DeleteMessage","MoveToFolder") | project Timestamp, AccountDisplayName, ActionType, RuleDetails, IPAddress

AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where OperationName in ("Set-Mailbox","Add-MailboxPermission","Add-RecipientPermission") | project TimeGenerated, OperationName, InitiatedBy, TargetResources | order by TimeGenerated asc

Notes

Inbox rules are the most common BEC persistence mechanism. Attackers use them to intercept password reset emails, hide security alerts, and maintain visibility into ongoing email conversations.
Check the RSS Feeds and Conversation History folders -- attackers commonly move emails there because users rarely check these locations.

Where to Go Next

Malicious rules removed, check for OAuth persistence

Verify no OAuth persistence

OAuth Abuse

Forwarding detected, assess data exposure

Assess email data exposure

Data Staging

BEC confirmed, lock down all affected accounts

Lock down BEC-affected accounts

Account Lockdown

Related Artifacts

Unified Audit Log (UAL)

Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)

Mailbox Audit Logs

Exchange Admin Center or Search-MailboxAuditLog cmdlet

Inbox Rules Audit (Mailbox Forwarding)

Unified Audit Log (Operations: New-InboxRule, Set-InboxRule, UpdateInboxRules)