AnalysisP2~45 min

Investigate Mailbox Rule Modifications

Examine all mailbox rules, delegates, and forwarding configurations for evidence of attacker persistence. BEC actors commonly create inbox rules to hide security alerts, forward emails to external addresses, or redirect replies to spoofed domains.

Actions

1
Enumerate all inbox rules for compromised mailboxes: `Get-InboxRule -Mailbox [email protected] | Select Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage, MoveToFolder | Format-List`.
2
Check for mailbox forwarding and delegates: `Get-Mailbox -Identity compromised_user | Select ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxAndForward` and `Get-MailboxPermission -Identity compromised_user | Where-Object { $_.IsInherited -eq $false }`.
3
Search for rules that delete or move security notifications: look for rules with conditions matching "security","alert","password","suspicious","MFA" that move to Deleted Items or RSS Feeds folder.
4
Review mail transport rules at the organization level for attacker modifications: `Get-TransportRule | Where-Object { $_.WhenChanged -ge T_START } | Select Name, State, Priority, SentTo, RedirectMessageTo`.
5
Check for mailbox audit bypass configuration: `Get-MailboxAuditBypassAssociation | Select Name, AuditBypassEnabled` -- attackers may disable auditing on compromised mailboxes.

Queries

OfficeActivity | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Operation in ("New-InboxRule","Set-InboxRule","Enable-InboxRule","UpdateInboxRules","Set-Mailbox","Set-TransportRule","New-TransportRule") | project TimeGenerated, UserId, Operation, Parameters, ClientIP | order by TimeGenerated asc

CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("Set-InboxRule","New-InboxRule","Set-Mailbox") | extend RuleDetails=tostring(RawEventData) | where RuleDetails has_any ("ForwardTo","RedirectTo","DeleteMessage","MoveToFolder") | project Timestamp, AccountDisplayName, ActionType, RuleDetails, IPAddress

AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where OperationName in ("Set-Mailbox","Add-MailboxPermission","Add-RecipientPermission") | project TimeGenerated, OperationName, InitiatedBy, TargetResources | order by TimeGenerated asc

index=o365 sourcetype=o365:management:activity Operation="Set-InboxRule" OR Operation="New-InboxRule" OR Operation="Enable-InboxRule" OR Operation="UpdateInboxRules" earliest=T_START latest=T_END | stats count by UserId, Operation, Parameters, ClientIP | sort -count

index=o365 sourcetype=o365:management:activity Operation="Set-Mailbox" OR Operation="New-TransportRule" OR Operation="Set-TransportRule" earliest=T_START latest=T_END | search Parameters="*ForwardTo*" OR Parameters="*RedirectTo*" OR Parameters="*ForwardingSMTPAddress*" | table _time, UserId, Operation, Parameters, ClientIP | sort _time

Notes

Inbox rules are the most common BEC persistence mechanism. Attackers use them to intercept password reset emails, hide security alerts, and maintain visibility into ongoing email conversations.

Check the RSS Feeds and Conversation History folders -- attackers commonly move emails there because users rarely check these locations.

Where to Go Next

Malicious rules removed, check for OAuth persistence

Verify no OAuth persistence

Forwarding detected, assess data exposure

Assess email data exposure

BEC confirmed, lock down all affected accounts

Lock down BEC-affected accounts

Related Resources

Artifacts

Unified Audit Log (UAL)Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)Mailbox Audit LogsExchange Admin Center or Search-MailboxAuditLog cmdlet Inbox Rules Audit (Mailbox Forwarding)Unified Audit Log (Operations: New-InboxRule, Set-InboxRule, UpdateInboxRules)