Detect hidden inbox forward rule in On-Premise Exchange
In many of exchange email account compromise case investigation, attacker trends to add an inbox rule and forward victims’s email to an email account under attacker’s control. In order to make the victim(s) even harder to detect the forward rules, attacker use some more advance technique to hide the forward rules.
There are different research articles discussing hidden inbox forward rule on O365 including Compass Security, Matthew Green and GCITS. That’s why we will discuss it for On-Premise Exchange such as Exchange 2013, 2016 & 2019.