The rule 'O365 Auto Forward' focuses on detecting unauthorized email forwarding rules configured in Office 365 mailboxes, which can indicate a potential data breach. In particular, the rule monitors for the creation of forwarding rules that might direct sensitive information to external addresses. This threat is associated with threat actor groups, notably SEABORGIUM, known for leveraging such tactics for data exfiltration. The detection logic utilizes Splunk's search capabilities to gather relevant cloud data specific to Office 365, filtering for actions related to email forwarding such as 'Set-Mailbox' commands that either set a 'ForwardingSmtpAddress' or use 'DeliverToMailboxAndForward'. The rule further restricts results to exclude cases where these parameters are empty, ensuring that only actionable configurations are flagged. Information is then tabulated to present essential user and event details for investigation. The rule highlights a known technique from the MITRE ATT&CK framework identified as T1114.003, emphasizing its relevance in the collection phase of email data exfiltration, providing alerts on Office 365 audit logs and other key actions that can signify malicious activities.