Skip to content
English
  • There are no suggestions because the search field is empty.

Commonly exploited mail forward rules

Associated with

Inboxes

Underlying signals

Common exploitable mail forward (RS11)

Reasonings

    • Enabled inbox, and
      • Any inbox that is enabled regardless if it’s regular, shared, or a distribution group
    • Has mail forward rules, and
      • Inboxes without mail forward rules will never trigger this event
    • A mail forward rule’s display name is one character long, or
      • Attackers may configure a mail forward rule with a single character display name in an attempt to “hide” it from user interfaces
    • A mail forward rule’s display name is commonly linked to an exploit
      • These rules can change and are constantly being reevaluated, but Cork generally uses Red Canary’s email threat detection guidelines

Resolutions

  • Remove the rule from the user
  • If user is being offboarded, disable the inbox