detecting-email-forwarding-rules-attack

name: detecting-email-forwarding-rules-attack description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks. domain: cybersecurity tags:

• threat-hunting
• mitre-attack
• email-forwarding
• persistence
• bec
• t1114
• proactive-detection subdomain: threat-hunting version: '1.0' author: mahipal license: Apache-2.0 d3fend_techniques:
• Restore Object
• Restore Configuration
• Application Configuration Hardening
• Application Hardening
• Disable Remote Access nist_csf:
• DE.CM-01
• DE.AE-02
• DE.AE-07
• ID.RA-05

Detecting Email Forwarding Rules Attack

When to Use

• When proactively hunting for indicators of detecting email forwarding rules attack in the environment
• After threat intelligence indicates active campaigns using these techniques
• During incident response to scope compromise related to these techniques
• When EDR or SIEM alerts trigger on related indicators
• During periodic security assessments and purple team exercises

Prerequisites

• EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne)
• SIEM with relevant log data ingested (Splunk, Elastic, Sentinel)
• Sysmon deployed with comprehensive configuration
• Windows Security Event Log forwarding enabled
• Threat intelligence feeds for IOC correlation

Workflow

1. Formulate Hypothesis: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.
2. Identify Data Sources: Determine which logs and telemetry are needed to validate or refute the hypothesis.
3. Execute Queries: Run detection queries against SIEM and EDR platforms to collect relevant events.
4. Analyze Results: Examine query results for anomalies, correlating across multiple data sources.
5. Validate Findings: Distinguish true positives from false positives through contextual analysis.
6. Correlate Activity: Link findings to broader attack chains and threat actor TTPs.
7. Document and Report: Record findings, update detection rules, and recommend response actions.

Key Concepts

Tools & Systems

Common Scenarios

1. Scenario 1: BEC actor creating forwarding rule to external email
2. Scenario 2: Compromised account with rule deleting security alerts
3. Scenario 3: Inbox rule forwarding CEO emails to attacker mailbox
4. Scenario 4: OAuth app abuse creating transport rules for data collection

When NOT to Use

• You need to perform the attack to test detection (use performing-* skills)
• Task is about analyzing past incidents (use analyzing-* skills)
• You need to implement detection rules (use implementing-* skills)
• Task is about threat hunting proactively (use hunting-* skills)
• You don't have access to logs or monitoring data
• Task requires incident response (use IR skills)

Red Flags

• Performing actions without explicit written authorization from the asset owner
• Testing against production systems without a defined scope and rules of engagement
• Exceeding the authorized scope of the engagement
• Leaving persistent access mechanisms without explicit approval
• Causing denial-of-service on production systems during testing

Verification

• All steps executed successfully against a test environment before production use
• Output documented with screenshots or logs demonstrating expected behavior
• All exploited vulnerabilities documented with reproduction steps
• Scope boundaries confirmed — only authorized targets were tested
• Remediation recommendations included for every finding

Output Format

Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1114.003
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]

Overview

Section content — see SKILL.md body for full details.

Process

1. Analyze the task requirements
2. Apply domain expertise
3. Verify output quality