This detection rule alerts on the creation of new email forwarding rules in an Office 365 environment. It operates by monitoring the `o365_management_activity` data source specifically for New-InboxRule and Set-InboxRule operations. Key parameters being scrutinized include `ForwardTo`, `ForwardAsAttachmentTo`, and `RedirectTo`, which, if manipulated, indicate potential unauthorized data exfiltration or interception attempts by attackers. The analytics leverage a structured search aimed at identifying when such parameters are present. If unauthorized forwarding rules are confirmed, it could signify a breach where attackers can divert communications, posing significant security risks and potentially leading to data loss. Administration of this rule requires the integration of the Splunk Microsoft Office 365 Add-on to facilitate the necessary event ingestion. The rule also cautions against possible false positives arising from benign user actions like legitimate forwarding setups.