Insecure mail forwarding rules

Associated with

Inboxes

Underlying signals

External mail forward (RS10), Common exploitable mail forward (RS11)

Reasonings

• Enabled inbox, and
  • Any inbox that is enabled regardless if it’s regular, shared, or a distribution group
• Has mail forward rules, and
  • Inboxes without mail forward rules will never trigger this event
• A mail forward rule that forwards emails to an external address, or
  • Cork does not consider a domain as external if that domain is present in the same client’s environment
  • These are primarily alias domains
• A mail forward rule’s display name is one character long, or
  • Attackers may configure a mail forward rule with a single character display name in an attempt to “hide” it from user interfaces
• A mail forward rule’s display name is commonly linked to an exploit
  • These rules can change and are constantly being reevaluated, but Cork generally uses Red Canary’s email threat detection guidelines

Resolutions

• If you cannot directly remove the rule, but have Exchange or O365 Exchange access you can configure the domain’s outbound spam filter policies to control external mail forwarding
  • You can reference https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-policies-external-email-forwarding
• Remove the rule from the user
• If user is being offboarded, disable the inbox