Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. tactic: TA0010 ✕ technique: T1114 ✕
Show ATT&CK heatmapA mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation
A rule was set up to forward emails outside the Google Workspace domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.Variations
A mail forwarding rule was configured in Google Workspace to an uncommon domain
High overridden
A rule was set up to forward emails outside the Google Workspace domain. overridden
Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange inbox forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange inbox forwarding rule configured
Medium overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden
External Exchange inbox forwarding rule configured
Low overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden
Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange transport forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange transport forwarding rule configured
Medium overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden
Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.Variations
Exchange user mailbox forwarding by a delegate user
Informational overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange user mailbox forwarding
Medium overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden
Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations
A user sent sensitive email messages to external users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive email information.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Exchange mail to external account matching high severity DLP rules
Low overridden
A user sent sensitive email messages to external users. overridden
Sensitive Exchange mail sent to an external user
Low overridden
A user sent sensitive email messages to external users. overridden