diff --git a/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.txt b/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.txt
index f91ee19484d..b7e648b1555 100644
--- a/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.txt	
+++ b/Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.txt	
@@ -9,10 +9,11 @@
 // Techniques: #Exfiltration
 //
 OfficeActivity
-| where Operation == "Set-Mailbox"
 | where TimeGenerated >= ago(30d)
-| where Parameters contains "ForwardingSmtpAddress"
+| where (Operation == "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress') 
+    or (Operation == 'New-InboxRule' and Parameters contains 'ForwardTo')
 | extend parsed=parse_json(Parameters)
-| extend parameterName=parsed[1].Name, fwdingDestination=tostring(parsed[1].Value)
+| extend fwdingDestination = iif(Operation=="Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value))
 | where fwdingDestination != ""
-  
\ No newline at end of file
+| project TimeGenerated, UserId, Operation, fwdingDestination, ClientIP 
+