DET0576: Email Forwarding Rule Abuse Detection Across Platforms
Email forwarding rule abuse matters because it can let an intruder quietly copy sensitive mailbox content and continue receiving email even after a passwor...
Analyst context for executives and security teams
Email forwarding rule abuse matters because it can let an intruder quietly copy sensitive mailbox content and continue receiving email even after a password reset if the rule is not removed. For leaders, this is a visibility and incident-containment issue: the organization needs evidence that mailbox forwarding changes are logged, reviewed, and investigated across its email environments.
Executive priority
Prioritize this as part of identity, email security, and incident response readiness. The related ATT&CK technique is tied to collection and describes adversaries using forwarding rules to monitor victims, steal information, and retain access to email after compromised credentials are reset. Executives should ask whether SOC and IR teams can quickly identify unauthorized forwarding, prove review coverage for audit/compliance needs, and include forwarding-rule removal in account compromise playbooks.
Technical view
This detection strategy is associated with T1114.003 Email Forwarding Rule. Because the ATT&CK object provides no official detection text and no explicit platforms for the strategy, teams should validate locally that they can observe creation, modification, and removal of mailbox or inbox forwarding rules wherever business email is hosted. Detection engineering should correlate forwarding-rule changes with account authentication events, privilege/admin activity, suspicious mailbox access, recent credential resets, and known legitimate forwarding/delegation patterns. IR teams should ensure account containment includes checking and removing malicious forwarding rules, not only resetting credentials.
Likely telemetry
- Mailbox or inbox rule creation, modification, and deletion audit logs
- Mailbox forwarding configuration and transport/mail-flow rule records
- Email platform administrative audit logs
- Identity and authentication logs for the affected account
- Privileged/admin activity logs for mailbox configuration changes
Detection direction
- Confirm whether forwarding-rule changes are logged with actor, target mailbox, timestamp, destination address, and rule conditions.
- Baseline legitimate forwarding, shared mailbox, delegation, and business continuity use cases to reduce false positives.
- Alert on new or modified forwarding rules that send mail to unusual, external, or previously unseen destinations, subject to local policy and available telemetry.
- Correlate forwarding-rule changes with suspicious sign-ins, impossible travel, unusual device/session activity, or recent credential resets where those data sources exist.
- During mailbox compromise investigations, search for forwarding rules created before, during, and after credential reset activity.
Mitigation priorities
- Require strong identity controls for email access and administration, including MFA and least-privilege administrative roles where supported.
- Maintain audit logging and retention for mailbox rule and forwarding configuration changes.
- Establish an approved business process for external forwarding and delegation exceptions.
- Regularly review forwarding rules, especially for executives, finance, legal, administrators, and other sensitive mailboxes.
- Update incident response playbooks so account recovery includes mailbox rule inspection, forwarding removal, and validation after credential reset.
Analyst notes and limits
The supplied ATT&CK detection strategy has a name and relationship to T1114.003 but no official description, detection logic, tactics, or platforms of its own. The strongest decision value comes from the relationship: email forwarding rules can support collection and can undermine containment if defenders only reset credentials. Local email architecture, logging configuration, and forwarding policy determine practical coverage.
This take is based only on the provided STIX fields, external reference, and relationship context. It does not assert active exploitation, specific vendor coverage, attribution, or guaranteed detectability. Platform-specific rule logic and exact event names require local validation.
Email Forwarding Rule Abuse Detection Across Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1114.003 | Email Forwarding Rule Sub-technique | This object detects Email Forwarding Rule. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8d192b95bbd3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0576Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.