Skip to content
English
  • There are no suggestions because the search field is empty.

Insecure mail forwarding rules

Associated with

Inboxes

Underlying signals

External mail forward (RS10), Common exploitable mail forward (RS11)

Reasonings

  • Enabled inbox, and
    • Any inbox that is enabled regardless if it’s regular, shared, or a distribution group
  • Has mail forward rules, and
    • Inboxes without mail forward rules will never trigger this event
  • A mail forward rule that forwards emails to an external address, or
    • Cork does not consider a domain as external if that domain is present in the same client’s environment
    • These are primarily alias domains
  • A mail forward rule’s display name is one character long, or
    • Attackers may configure a mail forward rule with a single character display name in an attempt to “hide” it from user interfaces
  • A mail forward rule’s display name is commonly linked to an exploit
    • These rules can change and are constantly being reevaluated, but Cork generally uses Red Canary’s email threat detection guidelines

Resolutions