From 41929eacccb4009864ad3d42b4d5fa0f4e51b6e0 Mon Sep 17 00:00:00 2001
From: developutm <development@utmstack.com>
Date: Fri, 12 Jun 2026 18:55:59 +0000
Subject: [PATCH] feat(rules/o365): add Inbox Forward Rule with Email
 Exfiltration detection rule

---
 .../o365-inbox-forward-rule-exfiltration.yml  | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 rules/office365/o365-inbox-forward-rule-exfiltration.yml

diff --git a/rules/office365/o365-inbox-forward-rule-exfiltration.yml b/rules/office365/o365-inbox-forward-rule-exfiltration.yml
new file mode 100644
index 000000000..32fb0fc24
--- /dev/null
+++ b/rules/office365/o365-inbox-forward-rule-exfiltration.yml
@@ -0,0 +1,34 @@
+# Rule version v1.0.0
+
+name: O365 Inbox Forward Rule with Email Exfiltration
+description: |
+  Detects the creation or modification of inbox forwarding rules followed by a burst
+  of SendAs activity from the same user within 1 hour. This pattern indicates an
+  attacker who has created email forwarding rules to redirect sensitive emails and
+  is actively exfiltrating data by sending emails as the compromised user. This is
+  a common data exfiltration technique used after initial access is gained.
+category: "Collection"
+technique: "T1114.003 - Email Forwarding Rule"
+references:
+  - "https://attack.mitre.org/techniques/T1114/003/"
+dataTypes:
+  - o365
+adversary: origin
+impact:
+  confidentiality: 3
+  integrity: 1
+  availability: 0
+where: oneOf("action", ["New-InboxRule", "Set-InboxRule", "UpdateInboxRules"])
+correlation:
+  - indexPattern: "v11-log-o365-*"
+    within: 1h
+    count: 5
+    with:
+      - field: origin.user
+        operator: filter_term
+        value: "{{.origin.user}}"
+      - field: action
+        operator: filter_term
+        value: "SendAs"
+groupBy:
+  - adversary.user