M365-MAILBOX-FORWARDCollection

Mailbox Forwarding Rule

Set an Outlook rule (or transport rule) to forward all mail to an external attacker mailbox — silent data exfil.

§ Where this technique fits

M365-MAILBOX-FORWARD is catalogued under the Collection tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

Mailbox forwarding rule → silent data exfil
Compromised user account. Create an Inbox / transport rule that auto-forwards every incoming message to an external attacker mailbox — invisible until an admin reviews mailbox rules.
step 2 / 4
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
step 3 / 6
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
step 7 / 7

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 2×

§ Where this technique fits

§ Dossiers chaining this technique

Mailbox forwarding rule → silent data exfil

Compromised CFO mailbox → invoice fraud → wire fraud

AITM phishing (Evilginx) → M365 session theft → mailbox exfil

§ What commonly comes next