MITRE ATT&CK T1114.003 — Email Forwarding Rule — is a sub-technique under T1114 (Email Collection) that describes how adversaries create or modify email forwarding rules to automatically route copies of incoming or outgoing messages to an attacker-controlled destination. It is classified under the Collection tactic and represents one of the most effective persistence mechanisms available to threat actors operating within cloud email environments.
The parent technique: T1114 Email Collection
T1114 covers all methods adversaries use to collect email data from compromised environments. It has three sub-techniques: T1114.001 (Local Email Collection), T1114.002 (Remote Email Collection), and T1114.003 (Email Forwarding Rule). While .001 and .002 involve direct access to email stores, .003 is distinct because the attacker configures the email system itself to deliver data automatically. This makes it passive, persistent, and extremely difficult to detect through network monitoring alone.
Related technique: T1564.008 Email Hiding Rules
Closely related is T1564.008 — Email Hiding Rules — which falls under the Defense Evasion tactic. Adversaries frequently pair forwarding rules with hiding rules that move, mark-as-read, or delete incoming messages to prevent the mailbox owner from noticing the compromise. When T1114.003 and T1564.008 are used together, the attacker achieves both exfiltration and stealth in a single configuration change.
Documented threat actors
Several well-known threat groups have been observed using T1114.003 in real-world operations:
- •APT1 (Comment Crew): One of the earliest documented groups to systematically use email forwarding rules for long-term intelligence collection from compromised organizations.
- •Kimsuky (Velvet Chollima): A North Korean threat actor that targets think tanks, research institutions, and government agencies. Kimsuky has been observed creating forwarding rules in compromised Microsoft 365 accounts to exfiltrate diplomatic communications.
- •Silent Librarian (Cobalt Dickens): An Iranian threat group focused on academic institutions. They compromise faculty email accounts and establish forwarding rules to harvest research data and intellectual property over extended periods.
- •LAPSUS$: Used forwarding rules as part of broader intrusion campaigns against technology companies, forwarding internal communications to external accounts for reconnaissance.
How the technique is executed
In Microsoft 365, an attacker with mailbox access can create forwarding rules through Exchange Online PowerShell, the Outlook Web App, the Graph API, or directly via MAPI operations. In Google Workspace, filters with forwarding actions can be created through the Gmail web interface or the Gmail API. The technical barrier is low — any user with mailbox credentials can create these rules without administrative privileges.
The most dangerous variant involves MAPI-level rules created programmatically. These rules may not appear in the standard admin center or in the user's Outlook rule list, making them effectively invisible to both the mailbox owner and the IT administrator unless specialized tooling is used.
Detection approaches
- •Query the Exchange Online Management Shell or Graph API to enumerate all inbox rules with ForwardTo, RedirectTo, or ForwardAsAttachmentTo actions across every mailbox in the tenant.
- •In Google Workspace, use the Gmail API or Admin SDK to list all filters with forwarding actions and cross-reference them against a known-good baseline.
- •Monitor the Unified Audit Log (Microsoft 365) or Admin Audit Log (Google Workspace) for New-InboxRule, Set-InboxRule, UpdateInboxRules, and filter creation events.
- •Flag rules that forward to external domains not on an approved allowlist.
- •Correlate rule creation events with suspicious sign-in activity — rules created from unfamiliar IP addresses, impossible travel locations, or anonymous VPN infrastructure are high-confidence indicators of compromise.
- •Scan for MAPI-level rules using tools that can read the rules table directly, rather than relying on admin center visibility.
Organizations that align their detection capabilities with the MITRE ATT&CK framework gain a structured approach to identifying T1114.003 activity. The key insight is that this technique operates at the configuration layer — not the network layer — which means traditional SIEM rules based on network telemetry will miss it entirely.