Vendors Microsoft Corporation Office 365 Mailbox External Forwarding Configuration

Mailbox External Forwarding Configuration

Set-Mailbox with ForwardingSmtpAddress - Data Exfiltration Risk

Records Set-Mailbox operations that configure external email forwarding, a common data exfiltration technique where emails are automatically forwarded to external addresses

exchange email-forwarding data-exfiltration mailbox-configuration security-risk

JSON Format 22 Fields Low Frequency Generator

Preview Sample View Schema

Overview

Captures Set-Mailbox operations that configure ForwardingSmtpAddress, enabling automatic forwarding of emails to external addresses. This is a critical security event as it's commonly used for data exfiltration and persistence.

When Generated:

Administrator configures email forwarding for a user mailbox
Attacker with compromised admin credentials sets up data exfiltration
Mailbox delegation includes external forwarding
Legitimate business process requires external email forwarding

Security Relevance:

Critical

Compliance:

GDPR (Data Protection) HIPAA (PHI Exfiltration Risk) PCI-DSS (Cardholder Data Protection) SOX (Financial Data Controls) NIST 800-53 (AC-2, AU-6)

Frequency Notes:

Low frequency under normal operations. Sudden increases or external forwarding to free email services (Gmail, Outlook.com) are high-priority security alerts. Night/weekend activity is particularly suspicious (3x multiplier).

Resources

Documentation

Office 365 Management Activity API Schema official
Set-Mailbox PowerShell Reference official
Detecting Email Forwarding Rules official
MITRE ATT&CK - Email Forwarding Rule (T1114.003) reference

Tools

Microsoft 365 Defender
Native detection and response for O365 threats including email forwarding
Azure Sentinel O365 Connector
Ingest and analyze Office 365 audit logs in Azure Sentinel
Hawk PowerShell Module
PowerShell-based tool for gathering information related to O365 intrusions and compromises

Generation Configuration

Base Frequency: 2 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 3.0x

Weekend Multiplier: 2.0x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
CreationTime Source: now() \| iso8601	DateTime	Required	`ISO 8601`	Timestamp when the Set-Mailbox operation was executed	`2024-12-15T14:23:47Z`	—
Id Source: random_guid()	String	Required	`GUID`	Unique identifier for this audit record	`a8f3c2d1-4b5e-6a7f-8c9d-0e1f2a3b4c5d`	—
Operation Source: Static value 'Set-Mailbox'	String	Required	—	Exchange PowerShell cmdlet executed	`Set-Mailbox`	—
OrganizationId Source: Derived from organization domain with random hex	String	Required	`GUID`	Microsoft 365 tenant identifier	`b4c5d6e7-8f9a-0b1c-2d3e-4f5a6b7c8d9e`	—
RecordType Source: Static value 1	Integer	Required	—	Office 365 audit log record type (1 = ExchangeAdmin)	`1`	`1` — ExchangeAdmin - Exchange administrative operations
ResultStatus Source: random_choice(['Success', 'PartiallySucceeded', 'Failed'])	String	Required	—	Outcome of the operation	`Success`	`Success` — Operation completed successfully `PartiallySucceeded` — Operation completed with warnings `Failed` — Operation failed
UserKey Source: registry.get_random_user().email	String	Required	—	Unique identifier for the user who performed the action	`admin@contoso.com`	—
UserType Source: random_choice([0, 2])	Integer	Required	—	Type of user performing the action	`0`	`0` — Regular user `2` — Administrator
Workload Source: Static value 'Exchange'	String	Required	—	Office 365 service where the operation occurred	`Exchange`	—
UserId Source: registry.get_random_user().email	String	Required	`Email/UPN`	User principal name of the account that performed the action	`admin@contoso.com`	—
ClientIP Source: random_choice([random_public_ip(), random_private_ip()]) with random_port()	String	Required	`IPv4:Port`	IP address and port of the client that performed the operation	`203.0.113.45:52874`	—
ObjectId Source: registry.get_random_user().email	String	Required	`Email/UPN`	Target mailbox that was modified	`finance.user@contoso.com`	—
ExternalAccess Source: random_choice(['true', 'false', 'false', 'false']) - weighted 25% external	Boolean	Required	—	Indicates if the operation was performed from outside the corporate network	`true`	—
OrganizationName Source: Derived from organization domain	String	Required	`*.onmicrosoft.com`	Microsoft 365 tenant name	`contoso.onmicrosoft.com`	—
OriginatingServer Source: Random Exchange Online server identifier with version	String	Required	—	Exchange server that processed the operation	`BN8PR01MB5678 (15.20.7654.32)`	—
Parameters Source: Array of parameter objects	Array	Required	—	PowerShell parameters used in the Set-Mailbox operation	—	—
Parameters[].Name	String	Required	—	Parameter name (Identity, ForwardingSmtpAddress, DeliverToMailboxAndForward)	`ForwardingSmtpAddress`	—
Parameters[].Value Source: Random external email address with smtp: prefix	String	Required	—	Parameter value - ForwardingSmtpAddress contains external email in smtp: format	`smtp:external.recipient@gmail.com`	—
SessionId Source: random_guid()	String	Required	`GUID`	Session identifier for the administrative connection	`c9d8e7f6-5a4b-3c2d-1e0f-9a8b7c6d5e4f`	—
ClientInfoString Source: Random client type (WebServices, OWA, PowerShell)	String	Optional	—	Information about the client application used	`Client=WebServices;Mozilla/5.0;`	—
Item Source: Object with Id and ParentFolder	Object	Required	—	Object containing details about the modified mailbox	—	—
ModifiedProperties Source: Array showing ForwardingSmtpAddress and DeliverToMailboxAndForward changes	Array	Required	—	Properties that were changed, showing old and new values	—	—

Details

Fields

Low

Frequency

Feedback

No ratings yet