AN1591: Analytic 1591
Creation of email forwarding/redirect rules in Exchange Online via New-InboxRule or transport rule cmdlets, including auto-forwarding address field usage.
Analyst context for executives and security teams
This analytic focuses on Exchange Online email forwarding or redirect rule creation, including inbox rules and transport rules that use auto-forwarding address fields. For leaders, the significance is governance and continuity: unauthorized or unmanaged forwarding can move sensitive communications outside normal oversight and may persist until explicitly reviewed. The object is detection-focused, but MITRE provides no official detection logic, so organizations need to validate their own Exchange Online audit visibility and rule-review process.
Executive priority
Prioritize this as an email and identity control assurance item: who can create forwarding rules, how those changes are approved, and whether SOC/IR teams can reconstruct the actor, mailbox, rule details, and destination address. It is especially relevant to audit evidence, incident scoping, and executive confidence that mail-flow changes are not silently bypassing security monitoring or data handling expectations.
Technical view
Validate monitoring for Exchange Online creation of inbox forwarding/redirect rules via New-InboxRule and transport rule cmdlets, including capture of auto-forwarding address fields. SOC teams should confirm events include the initiating identity, affected mailbox or transport rule, parameters, destination forwarding address, timestamp, and source context where available. Because no ATT&CK detection logic or relationships are supplied, detection engineering should be based on local baselines for legitimate administrators, help desk workflows, migration activity, and approved mail-flow automation.
Likely telemetry
- Exchange Online audit records for New-InboxRule activity
- Exchange Online administrative audit records for transport rule creation or modification
- Rule parameters showing forwarding, redirect, or auto-forwarding address fields
- Actor identity, role, source IP/session context, and timestamp for rule changes
- Affected mailbox, rule name, transport rule name, and configured forwarding destination
Detection direction
- Alert or review creation of inbox or transport rules that configure forwarding or redirect destinations, especially when the destination is not expected for the mailbox or business process.
- Tune against known legitimate administrators, delegated mailbox managers, migrations, compliance workflows, and approved transport-rule changes to reduce false positives.
- Validate that audit logging and retention are sufficient for incident response; this analytic loses value if rule parameters or actor identity are not retained.
- Review both mailbox-level inbox rules and organization-level transport rules; focusing on only one layer creates a material blind spot.
- Because MITRE supplied no official detection text, test detections with authorized administrative changes rather than assuming coverage.
Mitigation priorities
- Limit and periodically review privileges that allow Exchange Online inbox rule and transport rule creation.
- Require documented approval for new or changed forwarding/redirect rules, especially organization-level transport rules.
- Maintain recurring reviews of existing forwarding destinations and auto-forwarding address usage.
- Ensure Exchange Online audit collection, retention, and SOC access are sufficient to investigate rule creation events.
- Include forwarding-rule review in email compromise and identity incident response playbooks.
Analyst notes and limits
The supplied ATT&CK object is an analytic, not a technique, and has no tactics, relationships, aliases, or official detection text. The strongest supported interpretation is defensive validation around Exchange Online forwarding and redirect rule creation using the named cmdlets and forwarding fields.
This take does not assert active exploitation, attribution, impact, or guaranteed detection. Local Exchange Online configuration, licensing, audit retention, administrative workflows, and approved business forwarding practices are required to determine risk and coverage.
Analytic 1591
Creation of email forwarding/redirect rules in Exchange Online via New-InboxRule or transport rule cmdlets, including auto-forwarding address field usage.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7dcdba75df58… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1591Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.