Skip to content

[Rule Tuning] M365 Exchange Inbox Forwarding Rule Created #5642

New issue
New issue
Closed
Closed
[Rule Tuning] M365 Exchange Inbox Forwarding Rule Created#5642
Assignees
terrancedejesus
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@marcopedrinazzi

Description

@marcopedrinazzi
marcopedrinazzi
opened on Jan 29, 2026

Link to Rule

https://github.com/elastic/detection-rules/blob/a2c1dd85755e464e0cac4017b768e6f228e99f1e/rules/integrations/o365/collection_exchange_new_inbox_rule.toml

Rule Tuning Type

None

Description

Hello, I think this detection rule can be improved by integrating the logic of the similar sigma rule that captures more parameters in the case of New-InboxRules and Set-InboxRules

    selection_setinbox:
        Operation|contains:
            - 'New-InboxRule'
            - 'Set-InboxRule'
        Parameters|contains:
            - 'ForwardAsAttachmentTo'
            - 'ForwardingAddress'
            - 'ForwardingSmtpAddress'
            - 'ForwardTo'
            - 'RedirectTo'
            - 'RedirectToRecipients'
    condition: 1 of selection_*

https://github.com/SigmaHQ/sigma/blob/a4ddc7a4140c7e0e9a1d92481a1ff91d9237e774/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions