HIGH Microsoft 365 Unified Audit Log Business Email Compromise LTR-0006 ✓ validated

Detect Business Email Compromise via Malicious Inbox Rules (Microsoft 365)

MITRE ATT&CK: T1114.003T1564.008

Sigma Rule

title: M365 Mailbox Rule / Forwarding Change — BEC Indicator
id: 4c9d2e83-5b71-4a26-9f18-3e7a1c6b9d06
status: experimental
description: >
  Detects creation or modification of inbox rules and mailbox forwarding in the
  Microsoft 365 Unified Audit Log — the hallmark of business email compromise,
  where an attacker who has taken over a mailbox auto-forwards or auto-deletes
  mail to hide their activity and exfiltrate correspondence.
references:
  - https://attack.mitre.org/techniques/T1114/003/
author: LogTriage
date: 2026/06/23
logsource:
  product: m365
  service: exchange
detection:
  selection:
    Operation:
      - 'New-InboxRule'
      - 'Set-InboxRule'
      - 'Set-Mailbox'
      - 'New-TransportRule'
  condition: selection
falsepositives:
  - Legitimate vacation forwarding / user-created Outlook rules
  - Admin mailbox configuration during onboarding or migration
level: high
tags:
  - attack.collection
  - attack.exfiltration
  - attack.t1114.003

What this rule detects

Business email compromise almost always leaves the same fingerprint in the Microsoft 365 Unified Audit Log: shortly after a mailbox takeover, the attacker creates an inbox rule or changes mailbox forwarding to auto-forward incoming mail externally and quietly delete or hide security alerts and replies — so the legitimate owner never notices the fraud in progress.

This Sigma rule fires on the audit operations behind that behavior: New-InboxRule, Set-InboxRule, Set-Mailbox, and New-TransportRule.

Detection logic

The rule keys on the Operation field. On its own, a rule change is common; what makes it BEC is context — external forwarding or delete/move actions in the rule, created by an actor with a risky recent sign-in (impossible travel, legacy auth, a new device). LogTriage’s M365 BEC correlation ties the rule change to the user’s session so a forwarding rule created moments after a suspicious login is surfaced as one incident.

Validated against a real sample

Validated against m365_bec_data_exfil.json (shipped with LogTriage), which contains a New-InboxRule and Set-Mailbox change alongside MailItemsAccessed and bulk FileDownloaded operations — a textbook BEC + exfiltration sequence. The rule fires on those events and stays silent on the matching benign activity log.

False positives

Users legitimately set up vacation forwarding and Outlook rules, and admins configure mailboxes during onboarding. Triage by inspecting the rule’s actions (external forwarding / delete = high suspicion) and the actor’s recent sign-in risk.

Frequently Asked Questions

Why are inbox rules such a strong BEC signal?
After taking over a mailbox, attackers create rules that auto-forward incoming mail to an external address and/or move security alerts and replies straight to Deleted Items or RSS Feeds — so the real owner never sees the fraud. New-InboxRule and Set-Mailbox (with ForwardingSmtpAddress) are the audit events behind that behavior.
How do I separate a malicious rule from a legitimate one?
Inspect the rule's actions — external forwarding, delete-message, or move-to-obscure-folder are red flags — and correlate with the actor's recent sign-ins (impossible travel, legacy auth, new device). LogTriage's M365 parser correlates rule changes with the user's session so a forwarding rule created right after a risky sign-in is escalated automatically.
Does this cover org-wide transport rules too?
Yes — New-TransportRule is included because attackers with elevated access sometimes create organization-level mail-flow rules for broader exfiltration. Treat any unexpected transport-rule change as high severity.

Related Resources

See this detection run on a real report

Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.