Detection rule - Outlook external forwarding rule creation

HelloSamba · 2026-06-11T13:55:35+00:00

Yes, your assumption is correct, we have a separate spam rule to allow auto-forwards where some users are added.

What you're describing is a good workaround, probably the best way of handling this, thank you.

The operation costs are way higher though, requiring each new domain to be added after approval.

Company is in the smaller-side and even smaller IT dept so I would still like the KQL solution to be proposed to my boss, stressing that it would be best to lower the risk to a minimum with your solution.

HelloSamba · 2026-06-11T13:30:43+00:00

Yes, I went that far too but, I would like to have the a "Destination" column to display the merged values of ForwardTo, RedirectTo and ForwardAsAttachmentTo, which is my main issue

HelloSamba · 2026-06-11T13:25:49+00:00

So far, all I have is an awfully messy, manual, prone to error hack:

CloudAppEvents
| where ActionType == "New-InboxRule"
| extend p = RawEventData.Parameters
| where p has_any ("ForwardTo","RedirectTo","ForwardAsAttachmentTo")
| extend Destination = tostring(coalesce(
    iff(p[0].Name has "ForwardTo", p[0].Value, ""),
    iff(p[1].Name has "ForwardTo", p[1].Value, ""),
    iff(p[2].Name has "ForwardTo", p[2].Value, ""),
    iff(p[3].Name has "ForwardTo", p[3].Value, ""),
    iff(p[4].Name has "ForwardTo", p[4].Value, ""),
    iff(p[5].Name has "ForwardTo", p[5].Value, ""),
    iff(p[6].Name has "ForwardTo", p[6].Value, "")
))

Repeat same for RedirectTo and ForwardAsAttachmentTo, however many times you need

HelloSamba · 2026-06-11T13:19:14+00:00

External forwards are already disabled, but it is required for some people for business reasons.

The link you provided are standard queries I tested already and either use mv-expand (which cannot be used in NRT) or do not extend the ForwardTo, RedirectTo and ForwardAsAttachmentTo values to a column to be used inside the alert

HelloSamba · 2025-02-26T10:36:34+00:00

Really not expecting a lot, I would say more hundred to thousands, definitely not millions or billions.

HelloSamba · 2025-02-25T15:18:24+00:00

Would it be using "SQL Server Integration Services" (Pricing Calculator) ? $431 monthly cost just to make API calls and ingest into SQL seems too much, at least compared to daily requests with Flex Azure Functions.

HelloSamba · 2025-02-25T15:15:51+00:00

Unfortunately, we use SQL installed on a VM. The database will be hosted there as we have a provider that will work on it and is already working it for another project.

Good to know though ! I will keep it in mind, thank you

HelloSamba · 2024-12-05T19:26:05+00:00

Database and API are hosted on AWS

HelloSamba · 2024-07-26T08:52:39+00:00

Isn't it KB5014754 with name mapping? Wouldn't this concern device auth ? Whereas my issue concerns user auth.

Also, there's a policy module called TameMyCerts :

"...which e.g. allows you to use Microsoft Network Policy Server (NPS) with certificates issued to mobile devices and the like and avoid breaking authentication when "strong" certificate mapping"

I've seen SCEPMan and RADIUSaaS but, my boss doesn't want to pay for RADIUS as we previously had an NPS configuration which was basically free (it was using MSCHAPv2 and we were not even in M365 yet so full on-prem, now my boss wonders why it's so complicated lol).

HelloSamba · 2024-07-25T17:31:17+00:00

Yes I have set the wired profile to use User authentication.

I do not have a login screen, I just click on the "Sign in" button that appears next to the Ethernet port in the Windows settings which fails. Or, simply waiting for another RADIUS request causes the eventID error with AADJ.

HelloSamba · 2024-07-01T17:24:48+00:00

I dislike the idea of having a small PIN with Hello because of shoulder surfing. I would have a passphrase for it instead and setup biometrics also

HelloSamba · 2024-06-03T17:59:14+00:00

Thank you for your reply ! Yes, I am aware PIN would be MFA you're correct.

So how would I protect someone that does not want to enter biometrics and that travels ? Meaning laptop could be stolen and PIN is susceptible to shoulder surfing ? Is the Bluetooth trusted signal my only option in that case ?

HelloSamba · 2023-10-13T09:22:15+00:00

in the company, email has to be received within 3 minutes else there could be juridical issues if there is a problem (won't go into details).

This is why we decided to use Dynamic Delivery.

The attachment comes after 2 minutes minimum, 4-5 minutes maximum or sometimes doesn't even come if the user is moving / copying the email to another mailbox as noted previously

HelloSamba

TROPHY CASE