KQL-O365-Forward-Detection

let Lookback = ago(90d);
let RuleTypes = dynamic([ "ForwardTo" , "ForwardAsAttachmentTo", "RedirectTo"]);
let AllOfficeActivity = 
OfficeActivity
| where TimeGenerated > Lookback
| extend Parsed=parse_json(Parameters)
;
let Signins = 
SigninLogs
| where TimeGenerated > Lookback
| distinct UserDisplayName, UserPrincipalName
;
let Domains =
AllOfficeActivity
| where Operation == "MailboxLogin"
| extend OwnDomains = tostring(split(MailboxOwnerUPN, "@")[1])
| distinct OwnDomains
;
let SetInboxRules =
AllOfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule")
| where Parsed has_any(RuleTypes)
| extend InitiatedBy = UserId
| extend ForwardSource = UserId
| extend ForwardDestination = case(
Parsed[0].Name in(RuleTypes) and isnotempty(Parsed[0].Value), Parsed[0].Value
,Parsed[2].Name in(RuleTypes) and isnotempty(Parsed[2].Value), Parsed[2].Value
,Parsed[3].Name in(RuleTypes) and isnotempty(Parsed[3].Value), Parsed[3].Value
, "")
| extend RuleName = case(
Parsed[3].Name == "Name" and isnotempty(Parsed[3].Value), Parsed[3].Value
,Parsed[4].Name == "Name" and isnotempty(Parsed[4].Value), Parsed[4].Value
, "")
| extend ClientIP = iif(isnotempty(ClientIP), ClientIP, ClientIP_)
| parse kind=regex ClientIP with "[[]" IPAddress1 "]:" Port1
| parse kind=regex ClientIP with IPAddress2 ":" Port2
| extend IPAddress = iif(isnotempty(IPAddress1), IPAddress1, IPAddress2)
| extend Port = iif(isnotempty(Port1), Port1, Port2)
;
let SetMailbox =
AllOfficeActivity
| where Operation == "Set-Mailbox"
| where Parsed has "ForwardingSmtpAddress"
| extend InitiatedBy = UserId
| extend Identity = case(
Parsed[0].Name == "Identity" and isnotempty(Parsed[0].Value), Parsed[0].Value
, "")
| join kind=leftouter Signins on $left.Identity == $right.UserDisplayName
| extend ForwardSource = iff(
Identity contains "@", Identity, UserPrincipalName
)
| extend ForwardDestination = case(
Parsed[2].Name == "ForwardingSmtpAddress" and isnotempty(Parsed[2].Value), split(Parsed[2].Value,":")[1]
, "")
| project-rename RuleName=OfficeObjectId
| extend ClientIP = iif(isnotempty(ClientIP), ClientIP, ClientIP_)
| parse kind=regex ClientIP with "[[]" IPAddress1 "]:" Port1
| parse kind=regex ClientIP with IPAddress2 ":" Port2
| extend IPAddress = iif(isnotempty(IPAddress1), IPAddress1, IPAddress2)
| extend Port = iif(isnotempty(Port1), Port1, Port2)
;
let TransportRule = 
AllOfficeActivity
| where Operation in ("New-TransportRule","Set-TransportRule")
| where Parsed has "SentTo"
| extend InitiatedBy = UserId
| extend ForwardSource = case(
Parsed[0].Name == "SentTo" and isnotempty(Parsed[0].Value), Parsed[0].Value
, "")
| extend ForwardDestination = case(
Parsed[1].Name == "RedirectMessageTo" and isnotempty(Parsed[1].Value), Parsed[1].Value
, "")
| extend RuleName = case(
Parsed[0].Name == "Name" and isnotempty(Parsed[0].Value), Parsed[0].Value
,Parsed[2].Name == "Name" and isnotempty(Parsed[2].Value), Parsed[2].Value
, "")
| extend ClientIP = iif(isnotempty(ClientIP), ClientIP, ClientIP_)
| parse kind=regex ClientIP with "[[]" IPAddress1 "]:" Port1
| parse kind=regex ClientIP with IPAddress2 ":" Port2
| extend IPAddress = iif(isnotempty(IPAddress1), IPAddress1, IPAddress2)
| extend Port = iif(isnotempty(Port1), Port1, Port2)
;
SetInboxRules
| union SetMailbox, TransportRule
| project TimeGenerated, Operation, InitiatedBy, IPAddress, Port, ForwardSource, ForwardDestination, RuleName
| where ForwardDestination contains "@"
| mv-expand split(ForwardDestination, ";")
| mv-expand split(ForwardDestination, ", ")
| extend ForwardDomain = tostring(split(ForwardDestination,"@",1)[0])
| join kind=leftanti Domains on $left.ForwardDomain == $right.OwnDomains

For more information about this query read my blogpost: https://www.kustoking.com/hunting-for-suspicious-external-forwards-in-office365/