MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Collection/ T1114.003

T1114.003Email Forwarding Rule

T1114.003 — Email Forwarding Rule is a MITRE ATT&CK technique in the Collection tactic. Clankerusecase tracks 12 detection use cases covering it and 2 threat-intel articles citing it.

Collection

View on the matrix → Filter Detection Library MITRE official spec ↗

12Use cases

2Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1114 · Email Collection

Use cases covering this technique (12)

Google Workspace email auto-forwarding to external domain Internal actions · alerting DD M365 mail-forwarding rule created Internal actions · alerting DD O365 Email New Inbox Rule Created ESCU actions · hunting P O365 Email Suspicious Behavior Alert ESCU actions · alerting P O365 Email Transport Rule Changed ESCU actions · hunting P O365 Mailbox Email Forwarding Enabled ESCU actions · alerting P O365 New Email Forwarding Rule Created ESCU actions · alerting P O365 New Email Forwarding Rule Enabled ESCU actions · alerting P O365 Suspicious Admin Email Forwarding ESCU actions · hunting P O365 Suspicious User Email Forwarding ESCU actions · hunting P [LLM] AI-agent-driven mailbox auto-forwards messages to first-time-seen external recipient Bespoke actions · alerting DSPDD [LLM] Outbound email BCC'd to giftshop.club exfil domain (postmark-mcp backdoor) Bespoke actions · alerting DSΣPDD

Articles citing this technique (2)

high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41

high Malicious MCP Server on npm postmark-mcp Harvests Emails art-776