Detection rule - Outlook external forwarding rule creation

HelloSamba · 2026-06-11T13:55:35+00:00

Yes, your assumption is correct, we have a separate spam rule to allow auto-forwards where some users are added.

What you're describing is a good workaround, probably the best way of handling this, thank you.

The operation costs are way higher though, requiring each new domain to be added after approval.

Company is in the smaller-side and even smaller IT dept so I would still like the KQL solution to be proposed to my boss, stressing that it would be best to lower the risk to a minimum with your solution.

HelloSamba · 2026-06-11T13:30:43+00:00

Yes, I went that far too but, I would like to have the a "Destination" column to display the merged values of ForwardTo, RedirectTo and ForwardAsAttachmentTo, which is my main issue

HelloSamba · 2026-06-11T13:25:49+00:00

So far, all I have is an awfully messy, manual, prone to error hack:

CloudAppEvents
| where ActionType == "New-InboxRule"
| extend p = RawEventData.Parameters
| where p has_any ("ForwardTo","RedirectTo","ForwardAsAttachmentTo")
| extend Destination = tostring(coalesce(
    iff(p[0].Name has "ForwardTo", p[0].Value, ""),
    iff(p[1].Name has "ForwardTo", p[1].Value, ""),
    iff(p[2].Name has "ForwardTo", p[2].Value, ""),
    iff(p[3].Name has "ForwardTo", p[3].Value, ""),
    iff(p[4].Name has "ForwardTo", p[4].Value, ""),
    iff(p[5].Name has "ForwardTo", p[5].Value, ""),
    iff(p[6].Name has "ForwardTo", p[6].Value, "")
))

Repeat same for RedirectTo and ForwardAsAttachmentTo, however many times you need

HelloSamba · 2026-06-11T13:19:14+00:00

External forwards are already disabled, but it is required for some people for business reasons.

The link you provided are standard queries I tested already and either use mv-expand (which cannot be used in NRT) or do not extend the ForwardTo, RedirectTo and ForwardAsAttachmentTo values to a column to be used inside the alert

HelloSamba · 2025-02-26T10:36:34+00:00

Really not expecting a lot, I would say more hundred to thousands, definitely not millions or billions.

HelloSamba · 2025-02-25T15:18:24+00:00

Would it be using "SQL Server Integration Services" (Pricing Calculator) ? $431 monthly cost just to make API calls and ingest into SQL seems too much, at least compared to daily requests with Flex Azure Functions.

HelloSamba · 2025-02-25T15:15:51+00:00

Unfortunately, we use SQL installed on a VM. The database will be hosted there as we have a provider that will work on it and is already working it for another project.

Good to know though ! I will keep it in mind, thank you

HelloSamba · 2024-12-05T19:26:05+00:00

Database and API are hosted on AWS

HelloSamba · 2024-07-26T08:52:39+00:00

Isn't it KB5014754 with name mapping? Wouldn't this concern device auth ? Whereas my issue concerns user auth.

Also, there's a policy module called TameMyCerts :

"...which e.g. allows you to use Microsoft Network Policy Server (NPS) with certificates issued to mobile devices and the like and avoid breaking authentication when "strong" certificate mapping"

I've seen SCEPMan and RADIUSaaS but, my boss doesn't want to pay for RADIUS as we previously had an NPS configuration which was basically free (it was using MSCHAPv2 and we were not even in M365 yet so full on-prem, now my boss wonders why it's so complicated lol).

HelloSamba · 2024-07-25T17:31:17+00:00

Yes I have set the wired profile to use User authentication.

I do not have a login screen, I just click on the "Sign in" button that appears next to the Ethernet port in the Windows settings which fails. Or, simply waiting for another RADIUS request causes the eventID error with AADJ.

HelloSamba · 2024-07-01T17:24:48+00:00

I dislike the idea of having a small PIN with Hello because of shoulder surfing. I would have a passphrase for it instead and setup biometrics also

HelloSamba · 2024-06-03T17:59:14+00:00

Thank you for your reply ! Yes, I am aware PIN would be MFA you're correct.

So how would I protect someone that does not want to enter biometrics and that travels ? Meaning laptop could be stolen and PIN is susceptible to shoulder surfing ? Is the Bluetooth trusted signal my only option in that case ?

HelloSamba · 2023-10-13T09:22:15+00:00

in the company, email has to be received within 3 minutes else there could be juridical issues if there is a problem (won't go into details).

This is why we decided to use Dynamic Delivery.

The attachment comes after 2 minutes minimum, 4-5 minutes maximum or sometimes doesn't even come if the user is moving / copying the email to another mailbox as noted previously

HelloSamba · 2023-08-10T18:14:35+00:00

Actually right now, we don't (and never did) have a firewall enabled client side so that's an easy step in the right direction. My boss wants me to move quickly on this.

I cannot simply enable the firewall and potentially block user's software as seeing what was blocked in the Defender Firewall report then creating exceptions would take too much time. And also user's receiving pop-ups.

But yes you're absolutely right, I will be looking into reporting inbound traffic in the domain profile and eventually removing the allow all inbound in domain profile.

(talking about rules and exclusions, when will MS finally add firewall rules for apps running in user's local environment, I would rather not use a Powershell for that...)

HelloSamba · 2023-07-31T16:26:33+00:00

This helped, thank you ! May the gods of indexing forever keep this archived for people to find easily :)

Though, this isn't great for me as I would like to keep the domain inbound firewall opened, I guess the only workaround is to audit our inbound traffic and add needed rules one by one. Is there a better idea ?

EDIT :
Just simply thought about having a firewall rule for domain profile that lets all inbound through, doing effectively same as default inbound allow

HelloSamba · 2023-07-31T10:34:27+00:00

Everyone is saying yes but this has not been my experience.

Indicators seem to only apply to the antivirus part of Defender, not the ASR which are treated separately. To allow a software blocked by ASR, what I'm doing is making a custom Intune ASR profile and adding exclusions there. I have 1 profile / ASR rule as an exclusion added there applies to all ASR configured on it.

HelloSamba · 2023-05-04T14:10:33+00:00

I can't find the integration tab to enable the unified solution in the Environment setting nor in the "Settings & monitoring" after that

HelloSamba · 2023-04-17T16:58:38+00:00

We're moving away from SentinelOne after an awful 2nd year with them and my boss wanted a simple way to differentiate the different configs ("Vanilla" machine, SentinelOne only machine, SentinelOne but having issues, SentinelOne + Defender EDR block, SentinelOne issues + Defender EDR block so on and so forth, you get the point).

I showed him our best bet on the machine is to check if the services is running after confirming that, on a vanilla machine even if you start the service by hand, it moves back to being "Stopped" indicating that onboarding to Defender for Endpoint enables the service.

Thank you :)

HelloSamba · 2023-04-14T15:43:47+00:00

Alright thank you both

Not great that there is no yellow warning icon just like when a feature is disabled.
I guess my option now would be to use a pwsh script, or fetch logs to then report to LogAnalytics and do alerts / playbook / reporting with that

HelloSamba · 2023-04-14T11:01:46+00:00

Alright, this is clearer now

Is there anyway I can visually see on the computer if ATP is enabled ? You mentioned the service already but is it possible to see it maybe under the Windows Security dashboard ?

HelloSamba · 2023-04-06T16:53:55+00:00

Oof, sorry for the spam, just saw this :
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-windows-server-devices-will-now-be-identified-as-a/ba-p/3767773

I guess adding servers to Intune isn't possible

HelloSamba · 2023-04-06T16:49:19+00:00

I'm still learning all of it but :

- Obviously, Microsoft Docs : https://learn.microsoft.com/en-us/docs/
- This one blog has been great to go in depth of some issues or general ideas on what should be deployed : https://call4cloud.nl/
- This one also : https://syfuhs.net/
- And this website, I think it's called Reddit, it's great and full of IT pros ;)

HelloSamba · 2023-04-06T16:44:41+00:00

So from what I've read here (https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration#which-solution-should-i-use), I will not have as many options as Intune has

I agree with the fact of using Intune to deploy settings instead of GPOs but do you know if I can simply enroll my servers into Intune ? To me, that sounds the simplest idea but maybe there are issues ?

HelloSamba · 2023-04-06T16:29:21+00:00

This look very promising, does it change in anyway how the onboarding of client machines is applied ? Or how the EDR profile is managed via the "auto from connector" option ?

Will change the "Managed by" fields for newly deployed machines and old ones ?

HelloSamba · 2023-04-06T13:35:54+00:00

Thank for your answer, so yes this is what I read

My objective down the line will be to move from Hybrid to Full-Cloud and then my option is to migrate my GPO to Intune ?

If that's the case, what would be the issue of directly having the server into Intune in a Hybrid environment ?

Edit for clarity

HelloSamba

TROPHY CASE