This detection rule monitors the creation of new inbox forwarding rules within Microsoft 365. Attackers may use inbox rules to automatically forward emails to unauthorized external addresses, facilitating data exfiltration without the need for broader organizational changes. The rule looks for successful creation events of inbox rules that specify forwarding actions, specifically identifying potential unauthorized behavior. Analysts are advised to investigate the user responsible for the rule creation, the destination address specified, and any recent unusual activities associated with that user. While the rule may generate false positives due to legitimate usages, it encourages thorough verification against company policies and exceptions for expected behavior. Response steps include disabling unauthorized rules, reviewing user activity, and enhancing monitoring and security configurations to prevent future incidents.