Merge PR #5860 from @marcopedrinazzi - Add New Email Forwarding and Hiding Rules

remove: Suspicious PowerShell Mailbox SMTP Forward Rule
new: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
new: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>

deprecated/windows/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml

@@ -1,11 +1,12 @@
 title: Suspicious PowerShell Mailbox SMTP Forward Rule
 id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
-status: test
+status: deprecated
 description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
 references:
     - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-10-26
+modified: 2026-03-01
 tags:
     - attack.exfiltration
 logsource:

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_email_forwarding_activity.yml

@@ -0,0 +1,43 @@
+title: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
+id: 0c7686d5-c74e-4292-b224-2a08e956ebc4
+related:
+    - id: c726e007-2cd0-4a55-abfb-79730fbedee5
+      type: similar
+    - id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
+      type: obsolete
+status: experimental
+description: Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet
+references:
+    - https://redcanary.com/blog/email-forwarding-rules/
+    - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
+author: Nasreddine Bencherchali (Nextron Systems), Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
+date: 2026-03-01
+tags:
+    - attack.collection
+    - attack.t1114.003
+    - attack.defense-evasion
+    - attack.t1564.008
+    - attack.exfiltration
+    - attack.t1020
+    - detection.threat-hunting
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains:
+            - 'New-InboxRule'
+            - 'Set-InboxRule'
+            - 'Set-Mailbox'
+    selection_params:
+        ScriptBlockText|contains:
+            - 'ForwardAsAttachmentTo'
+            - 'ForwardingAddress'
+            - 'ForwardingSmtpAddress'
+            - 'ForwardTo'
+            - 'RedirectTo' # Also covers "RedirectToRecipients"
+    condition: all of selection_*
+falsepositives:
+    - Legitimate mail forwarding rules created by users or administrators to forward email to designated internal or external recipients for business or operational purposes.
+level: medium

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_inbox_rule_creation_or_update_activity.yml

@@ -0,0 +1,42 @@
+title: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
+id: 04580eed-e1d6-426b-a570-f6e64a4577f7
+related:
+    - id: d3577be1-42c9-44a7-b56e-2e8de97349d3
+      type: similar
+status: experimental
+description: |
+    Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.
+    The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
+    Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
+references:
+    - https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
+    - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
+    - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps
+author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
+date: 2026-02-10
+tags:
+    - attack.defense-evasion
+    - attack.t1564.008
+    - attack.exfiltration
+    - attack.collection
+    - attack.t1114.003
+    - detection.threat-hunting
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains:
+            - 'New-InboxRule'
+            - 'Set-InboxRule'
+    selection_params:
+        ScriptBlockText|contains:
+            - 'DeleteMessage'
+            - 'MarkAsRead'
+            - 'MoveToFolder'
+            - 'SubjectOrBodyContainsWords'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.
+level: medium