Add O365 rule: Inbox Forward Rule with Email Exfiltration

[developutm]

Changes

Adds a new O365 correlation rule o365-inbox-forward-rule-exfiltration.yml that detects the creation or modification of inbox forwarding rules followed by a burst of SendAs activity from the same user within 1 hour.

Reasoning

A forwarding/inbox rule on its own is noisy — many users legitimately create them. The high-fidelity signal is the combination: an inbox rule created or modified, immediately followed by a burst of activity from the same identity. That pattern is a textbook business-email-compromise / account-takeover exfiltration playbook: the attacker pivots inbound mail and then actively impersonates the user. The 1-hour window with keeps false positives down while preserving recall on real incidents.

Issue Reference

N/A

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.25
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.24
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.25
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.24
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

�[0;31m❌ Please update dependencies before merging.�[0m

[github-actions]

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

✅ architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Addition of a new detection rule; no architectural changes or code modifications detected.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Mismatched field references in correlation logic and potential logic error in groupBy.

• high rules/office365/o365-inbox-forward-rule-exfiltration.yml:26 — The correlation logic uses '{{.origin.user}}' to filter, but the rule defines 'adversary: origin' and the groupBy uses 'adversary.user'. If the template variable is intended to match the user performing the action, it should likely be '{{.adversary.user}}' to ensure consistency with the groupBy field.
• medium rules/office365/o365-inbox-forward-rule-exfiltration.yml:34 — The groupBy field 'adversary.user' does not match the field 'origin.user' used in the correlation filter. This will likely result in empty or incorrect grouping if the data model expects 'origin.user' for O365 actions.

✅ security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: The PR introduces a new detection rule for O365 inbox forwarding; no vulnerabilities or information disclosure identified.

No findings.

[utmstackprapprover]

Changes requested — see approver comments above.