LogForge Logo LogForge
Home Vendors Search Download Login
Vendors Microsoft Corporation Office 365 Inbox Rule Created with External Forwarding
Microsoft Corporation Logo

Inbox Rule Created with External Forwarding

New-InboxRule - User-level Email Forwarding

Records New-InboxRule operations where users create email forwarding rules, often with external forwarding to bypass administrator controls and exfiltrate sensitive data

exchange inbox-rules email-forwarding user-activity data-exfiltration
JSON Format 23 Fields Medium Frequency Generator
Preview Sample View Schema

Overview

Captures New-InboxRule operations where users create inbox rules to automatically forward emails to external addresses. This is a common technique for data exfiltration and persistence as it bypasses administrator-level mailbox forwarding controls and can be harder to detect.

When Generated:

  • User creates a new inbox rule via Outlook or OWA
  • Attacker with compromised credentials establishes forwarding persistence
  • Legitimate user sets up external email forwarding for convenience
  • Automated rule creation by compromised account

Security Relevance:

High

Compliance:

GDPR (Data Protection & Transfer) HIPAA (PHI Exfiltration) PCI-DSS (Cardholder Data Protection) SOX (Financial Data Controls) NIST 800-53 (AC-2, AU-6, SI-4)

Frequency Notes:

Medium frequency in normal operations as users create legitimate rules. Suspicious indicators: rules with generic names ('Auto Archive'), external forwarding, keyword-based triggers targeting business content, StopProcessingRules=True, and especially creation during off-hours (4x multiplier for night, 3.5x for weekends).

Resources

Tools

Generation Configuration

Base Frequency: 8 events/hour
Time Patterns:
business_hours night_hours weekend
Business Hours Multiplier: 2.0x
Night Hours Multiplier: 4.0x
Weekend Multiplier: 3.5x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name Type Required Format Description Example Possible Values
CreationTime
Source: now() | iso8601
 DateTime Required ISO 8601 Timestamp when the inbox rule was created 2024-12-15T09:17:33Z
Id
Source: random_guid()
 String Required GUID Unique identifier for this audit record f1e2d3c4-b5a6-7c8d-9e0f-1a2b3c4d5e6f
Operation
Source: Static value 'New-InboxRule'
 String Required Exchange operation that was performed New-InboxRule
OrganizationId
Source: Derived from organization domain
 String Required GUID Microsoft 365 tenant identifier b4c5d6e7-8f9a-0b1c-2d3e-4f5a6b7c8d9e
RecordType
Source: Static value 1
 Integer Required Office 365 audit log record type (1 = ExchangeAdmin) 1
ResultStatus
Source: random_choice(['Success', 'Success', 'Success', 'Failed'])
 String Required Outcome of the rule creation operation Success
Success — Rule created successfully
Failed — Rule creation failed (validation or permission error)
UserKey
Source: registry.get_random_user().email
 String Required Unique identifier for the user who created the rule compromised.user@contoso.com
UserType
Source: random_choice([0, 2])
 Integer Required Type of user creating the rule 0
0 — Regular user
2 — Administrator
Workload
Source: Static value 'Exchange'
 String Required Office 365 service where the operation occurred Exchange
UserId
Source: registry.get_random_user().email
 String Required Email/UPN User principal name of the account that created the rule compromised.user@contoso.com
ClientIP
Source: random_choice([random_public_ip(), random_public_ip(), random_private_ip()]) - weighted toward external IPs
 String Required IPv4:Port IP address and port from which the rule was created 198.51.100.88:43921
ObjectId
Source: registry.get_random_user().email
 String Required Email/UPN Mailbox for which the rule was created compromised.user@contoso.com
ExternalAccess
Source: random_choice(['true', 'true', 'false']) - weighted 67% external
 Boolean Required Indicates if the rule was created from outside the corporate network true
OrganizationName
Source: Derived from organization domain
 String Required *.onmicrosoft.com Microsoft 365 tenant name contoso.onmicrosoft.com
OriginatingServer
Source: Random Exchange Online server identifier
 String Required Exchange server that processed the rule creation BN8PR01MB5678 (15.20.7654.32)
Parameters
Source: Array of parameter objects defining rule behavior
 Array Required Parameters used when creating the inbox rule
Parameters[].Name
 String Required Parameter name (Name, SubjectContainsWords, ForwardTo, StopProcessingRules, DeleteMessage, Mailbox) SubjectContainsWords
Parameters[].Value
Source: Context-specific values - keywords target business content, ForwardTo contains external addresses
 String Required Parameter value - critical fields include ForwardTo (external email), SubjectContainsWords (keywords for targeting), StopProcessingRules (prevents detection) invoice,payment,urgent,confidential
SessionId
Source: random_guid()
 String Required GUID Session identifier for the user connection a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d
ClientInfoString
Source: Random client type and access method
 String Optional Information about the client used to create the rule (OWA, Outlook, etc.) Client=OWA;Action=ViaProxy;
Item
Source: Object with rule name and parent folder path
 Object Required Details about the created inbox rule
Item.Id
Source: Random benign-sounding rule name
 String Required Name of the inbox rule (often benign-sounding to avoid detection) Auto Archive Important Messages
Item.ParentFolder.Path
Source: Static value '/Inbox Rules'
 String Required Location where the rule is stored /Inbox Rules

Details

23
Fields
Medium
Frequency
5
Tags
inbox_rule_created
Event Type
Tags:
exchange inbox-rules email-forwarding user-activity data-exfiltration

Feedback

No ratings yet