MITRE ATT&CK Technique
Description
Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules) Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules) In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-19T18:54:47.103Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may setup email forwarding rules to collect '
'sensitive information. Adversaries may abuse email forwarding '
'rules to monitor the activities of a victim, steal '
'information, and further gain intelligence on the victim or '
'the victim’s organization to use as part of further exploits '
'or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, '
'email forwarding rules can allow adversaries to maintain '
"persistent access to victim's emails even after compromised "
'credentials are reset by administrators.(Citation: Pfammatter '
'- Hidden Inbox Rules) Most email clients allow users to '
'create inbox rules for various email functions, including '
'forwarding to a different recipient. These rules may be '
'created through a local email application, a web interface, '
'or by command-line interface. Messages can be forwarded to '
'internal or external recipients, and there are no '
'restrictions limiting the extent of this rule. Administrators '
'may also create forwarding rules for user accounts with the '
'same considerations and outcomes.(Citation: Microsoft Tim '
'McMichael Exchange Mail Forwarding 2)(Citation: Mac '
'Forwarding Rules)\n'
'\n'
'Any user or administrator within the organization (or '
'adversary with valid credentials) can create rules to '
'automatically forward all received messages to another '
'recipient, forward emails to different locations based on the '
'sender, and more. Adversaries may also hide the rule by '
'making use of the Microsoft Messaging API (MAPI) to modify '
'the rule properties, making it hidden and not visible from '
'Outlook, OWA or most Exchange Administration tools.(Citation: '
'Pfammatter - Hidden Inbox Rules)\n'
'\n'
'In some environments, administrators may be able to enable '
'email forwarding rules that operate organization-wide rather '
'than on individual inboxes. For example, Microsoft Exchange '
'supports transport rules that evaluate all mail an '
'organization receives against user-specified conditions, then '
'performs a user-specified action on mail that adheres to '
'those conditions.(Citation: Microsoft Mail Flow Rules 2023) '
'Adversaries that abuse such features may be able to enable '
'forwarding on all or specific mail an organization receives. ',
'external_references': [{'external_id': 'T1114.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1114/003'},
{'description': 'Apple. (n.d.). Reply to, forward, or '
'redirect emails in Mail on Mac. '
'Retrieved June 22, 2021.',
'source_name': 'Mac Forwarding Rules',
'url': 'https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac'},
{'description': 'Damian Pfammatter. (2018, September '
'17). Hidden Inbox Rules in Microsoft '
'Exchange. Retrieved October 12, '
'2021.',
'source_name': 'Pfammatter - Hidden Inbox Rules',
'url': 'https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/'},
{'description': 'McMichael, T.. (2015, June 8). '
'Exchange and Office 365 Mail '
'Forwarding. Retrieved October 8, '
'2019.',
'source_name': 'Microsoft Tim McMichael Exchange '
'Mail Forwarding 2',
'url': 'https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/'},
{'description': 'Microsoft. (2023, February 22). Mail '
'flow rules (transport rules) in '
'Exchange Online. Retrieved March 13, '
'2023.',
'source_name': 'Microsoft Mail Flow Rules 2023',
'url': 'https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules'},
{'description': 'US-CERT. (2018, March 27). TA18-068A '
'Brute Force Attacks Conducted by '
'Cyber Actors. Retrieved October 2, '
'2019.',
'source_name': 'US-CERT TA18-068A 2018',
'url': 'https://www.us-cert.gov/ncas/alerts/TA18-086A'}],
'id': 'attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'collection'}],
'modified': '2025-10-24T17:49:00.920Z',
'name': 'Email Forwarding Rule',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Microsoft Security',
'Swetha Prabakaran, Microsoft Threat Intelligence '
'Center (MSTIC)',
'Liran Ravich, CardinalOps',
'Arun Seelagan, CISA'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Office Suite', 'Windows'],
'x_mitre_version': '1.4'}