Try in Splunk Security Cloud


This search detects when multiple user configured a forwarding rule to the same destination.

  • Type: Anomaly
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-16
  • Author: Patrick Bareiss, Splunk
  • ID: f8dfe015-dbb3-4569-ba75-b13787e06aa4


ID Technique Tactic
T1114.003 Email Forwarding Rule Collection
T1114 Email Collection Collection
`o365_management_activity` Operation=Set-Mailbox 
| spath input=Parameters 
| rename Identity AS src_user 
| search ForwardingSmtpAddress=* 
| stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress 
| where count_src_user > 1 

Associated Analytic Story

How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Operation
  • Parameters

Kill Chain Phase

  • Actions on Objectives

Known False Positives



Risk Score Impact Confidence Message
48.0 80 60 User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1