Do you detect malicious mailbox rules (auto-forward / delete) that attackers create after compromise?
Demonstrate that the organization continuously monitors for and alerts on creation of malicious mailbox rules indicative of post-compromise attacker activity.
Description
What this control does
This control detects unauthorized mailbox rules created by attackers following account compromise, particularly auto-forwarding rules that exfiltrate sensitive emails or auto-delete rules that hide incident response communications. Detection typically leverages email platform audit logs (Microsoft 365 Unified Audit Log, Google Workspace Admin audit logs) and Security Information and Event Management (SIEM) correlation to identify suspicious rule creation patterns, such as rules created from unusual IP addresses, geographic locations, or immediately following credential use anomalies. This control is critical because attackers commonly establish persistence and maintain intelligence access through covert forwarding rules that remain active even after password resets.
Control objective
What auditing this proves
Demonstrate that the organization continuously monitors for and alerts on creation of malicious mailbox rules indicative of post-compromise attacker activity.
Associated risks
Risks this control addresses
- Exfiltration of sensitive business communications, intellectual property, and customer data through auto-forwarding rules to external addresses
- Deletion of security alerts, password reset notifications, or incident response communications to maintain persistent access undetected
- Prolonged attacker dwell time as compromised accounts continue forwarding intelligence after initial breach remediation
- Regulatory non-compliance due to undetected unauthorized data transfers of protected information (PII, PHI, financial data)
- Business email compromise (BEC) persistence where attackers monitor executive communications to time fraud or social engineering attacks
- Failure to detect lateral movement indicators when attackers create rules to monitor IT administrator or security team communications
Testing procedure
How an auditor verifies this control
- Obtain the organization's email security monitoring policy and documented procedures for detecting malicious mailbox rules.
- Identify the technical tools deployed for monitoring mailbox rule activity (SIEM rules, Cloud Access Security Broker, native email platform alerting, or third-party email security solutions).
- Review detection logic configuration to verify coverage of rule creation events including auto-forward, auto-delete, move-to-folder, and redirect actions across all mailbox types (user, shared, resource).
- Examine alert trigger criteria to confirm detection of suspicious indicators such as creation from non-corporate IP addresses, anomalous geolocations, newly registered external domains, and rules created within temporal proximity to authentication anomalies.
- Request audit logs or SIEM query results for the past 90 days showing all detected mailbox rule creation events and corresponding security team disposition.
- Select a sample of 10-15 triggered alerts and trace investigation workflows to verify timely triage, user notification, rule remediation, and escalation where appropriate.
- Conduct a simulated attack by creating a test mailbox rule with forwarding to an external address and verify detection, alerting, and response within defined SLA timeframes.
- Review user access to mailbox rule creation capabilities and confirm preventive controls such as conditional access policies restricting rule management from untrusted locations or unmanaged devices.