How does MailBreach differ from SIEM-based T1114.003 detection?

SIEM-based detection relies on mailbox audit log events (New-InboxRule, email_forwarding_change) which have ingestion delays of up to 24 hours and may miss certain rule types (MAPI rules, legacy EWS rules). MailBreach performs direct configuration inspection via the Graph API and Gmail API, reading the actual rules present in every mailbox right now. This eliminates latency gaps, audit log completeness issues, and rules that predate your log retention window.

Does MailBreach cover related techniques like T1564.008 and T1098.002?

Yes. MailBreach's detection patterns cover several related ATT&CK techniques. Email hiding rules (T1564.008) — where attackers create rules to delete or archive security notifications — are detected as part of the standard scan. Delegate access grants (T1098.002) to external users are also flagged. Each finding includes the specific ATT&CK technique mapping.

Can I integrate MailBreach findings with my SOAR platform?

Yes. MailBreach supports webhook notifications with structured JSON payloads containing finding details, severity, ATT&CK technique IDs, affected users, and recommended actions. These payloads are designed to trigger automated playbooks in SOAR platforms like Splunk SOAR, Palo Alto XSOAR, or Tines. API access is also available for polling-based integrations.

How do I demonstrate T1114.003 coverage to auditors or leadership?

MailBreach provides exportable coverage reports that document each detection pattern, its mapping to ATT&CK techniques and procedure examples, detection methodology (configuration inspection vs. log-based), and scan frequency. These reports are designed for CISO dashboards, NIST CSF maturity assessments, and audit evidence packages.

MITRE ATT&CK Coverage

Automated Detection for T1114.003

MITRE ATT&CK T1114.003 (Email Forwarding Rule) is one of the hardest techniques to detect with log-based tools alone. MailBreach provides 12 detection patterns with direct configuration inspection — purpose-built for SOC teams and detection engineers.

Start Detecting T1114.003 Today

14-day free trial. Full detection coverage from your first scan.

Understanding MITRE ATT&CK T1114.003: Email Forwarding Rule

T1114.003 is a sub-technique under T1114 (Email Collection) in the MITRE ATT&CK framework. It describes the adversary behavior of modifying email forwarding rules to automatically redirect or copy email messages to an attacker-controlled destination. This technique is classified under the Collection tactic and is commonly observed in the post-compromise phase of business email compromise (BEC), espionage campaigns, and insider threat scenarios.

The technique is particularly insidious because it provides persistent, passive access to email communications without requiring the attacker to maintain active access to the compromised account. Once a forwarding rule is in place, the attacker receives copies of emails even if the victim changes their password or revokes OAuth tokens — because the rule executes within the mail platform's infrastructure, not through the attacker's session.

T1114.003 is closely related to several other ATT&CK techniques. T1564.008 (Email Hiding Rules) describes the use of inbox rules to hide evidence of compromise by deleting, archiving, or moving security notification emails. T1078 (Valid Accounts) covers the initial access vector that enables rule creation. T1098.002 (Additional Email Delegate Permissions) describes adding delegate access to read another user's mailbox. A comprehensive detection strategy must account for all of these related techniques.

T1114.003 — Email Forwarding Rule: redirect or copy email to attacker-controlled address
T1564.008 — Email Hiding Rules: hide security alerts and compromise evidence
T1078 — Valid Accounts: initial access enabling rule creation
T1098.002 — Additional Email Delegate Permissions: adding unauthorized delegates

Why Log-Based Detection Falls Short for T1114.003

The standard approach to detecting T1114.003 in a SOC is to write SIEM detection rules against mailbox audit logs. In Microsoft 365, this means monitoring the Unified Audit Log for events like New-InboxRule, Set-InboxRule, and Set-Mailbox (for SMTP forwarding). In Google Workspace, it means watching for email_forwarding_change and email_filter_create events in the Admin audit log.

This approach has fundamental limitations. Microsoft 365's Unified Audit Log has a documented ingestion delay of up to 24 hours for mailbox events — meaning a forwarding rule could be active for a full day before the log event even appears in your SIEM. Google Workspace audit log latency is typically shorter but still measured in hours. For a technique designed for rapid exfiltration, this delay is operationally significant.

Beyond latency, log-based detection suffers from completeness gaps. MAPI-level rules in Exchange Online may not generate standard audit events. Legacy EWS-based rule creation has inconsistent logging. Rules created during periods when audit logging was misconfigured or disabled leave no trace at all. And even when logs are complete, the signal-to-noise ratio is challenging — organizations with thousands of users create hundreds of legitimate inbox rules daily, and without enrichment (domain reputation, allowlist comparison, user baseline behavior), every rule creation event is a potential false positive.

MailBreach addresses these limitations by performing direct configuration inspection rather than relying on event logs. By querying the Graph API and Gmail API to read the actual rules present in every mailbox, MailBreach detects forwarding rules regardless of when or how they were created — including rules that predate your audit log retention window.

MailBreach's 12 Detection Patterns Mapped to T1114.003

MailBreach evaluates every forwarding rule against 12 detection patterns organized into three severity tiers. These patterns were developed from analysis of real-world BEC investigations, threat intelligence reports, and MITRE ATT&CK procedure examples.

Severity 1 patterns (P1-P5) represent high-confidence indicators of compromise. These include forwarding to external freemail domains (Gmail, Outlook.com, Yahoo), rules with keyword triggers targeting financial terms (invoice, wire, payment, ACH), rules created via API or PowerShell rather than the user interface, MAPI-level hidden rules, and forwarding to domains that have appeared in known BEC infrastructure. These patterns warrant immediate investigation and can be auto-remediated in Mode C.

Severity 2 patterns (P6-P9) require contextual analysis and human judgment. These include forwarding to external domains not on the organization's allowlist, rules created outside business hours, rules targeting specific senders (such as the CFO or accounts payable), and delegate access grants to external users. These findings surface in the dashboard for SOC analyst review before remediation.

Severity 3 patterns (P10-P12) are informational and support baseline monitoring. These include internal forwarding between organizational mailboxes, rules that match common legitimate patterns, and forwarding configurations that were present at the time of initial scan. These findings are tracked for drift detection — if a previously baselined rule changes, it is re-evaluated and potentially escalated.

P1-P5 (Severity 1): High-confidence IOCs — auto-remediable in Mode C
P6-P9 (Severity 2): Contextual findings — require human approval before action
P10-P12 (Severity 3): Informational — tracked for drift and baseline changes
All 12 patterns map directly to T1114.003 with sub-classifications for reporting

For SOC Teams and Detection Engineers

If you are a detection engineer building T1114.003 coverage, MailBreach complements your existing SIEM-based detections with a fundamentally different detection methodology. Log-based detection tells you when a rule was created (with latency). Configuration-based detection tells you what rules exist right now (with certainty). The combination eliminates both the latency gap and the completeness gap.

MailBreach's API provides structured finding data that integrates with your existing SOAR and ticketing workflows. Each finding includes the rule details, matched detection pattern, severity classification, MITRE ATT&CK technique ID, affected user, and recommended remediation action. Webhook notifications can trigger automated playbooks in your SOAR platform for rapid triage.

For organizations pursuing MITRE ATT&CK-based coverage metrics — whether for internal maturity tracking, CISO reporting, or frameworks like NIST CSF — MailBreach provides documented, testable detection coverage for T1114.003 and related sub-techniques. Each detection pattern is mapped to specific ATT&CK procedure examples, giving your team defensible coverage claims backed by continuous monitoring rather than point-in-time assessments.

Complements SIEM detections with configuration-based inspection
Structured API output integrates with SOAR and ticketing workflows
Webhook notifications trigger automated response playbooks
Documented ATT&CK coverage metrics for maturity and compliance reporting

Key Capabilities

Direct Configuration Inspection

Queries the Graph API and Gmail API to read actual mailbox rules — not log events. Detects rules regardless of creation method, timing, or audit log availability.

12 Detection Patterns

Three-tier severity classification covering freemail forwarding, keyword interception, MAPI rules, API-created rules, and more — all mapped to T1114.003.

ATT&CK-Aligned Reporting

Every finding maps to MITRE ATT&CK technique IDs with procedure-level detail. Export coverage reports for CISO dashboards and compliance frameworks.

SOAR Integration

Structured webhook payloads and API access for integration with SOAR platforms, SIEM enrichment, and automated response playbooks.

Frequently Asked Questions

Ready to secure your email?

Start detecting hidden forwarding rules in minutes. No credit card required.

Start Detecting T1114.003 Today

Related Resources

BEC Detection Hidden Forwarding Rules Email Exfiltration Detection