Microsoft 365 Inbound Connector added or modified

microsoft-365

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user adds or modifies a Microsoft 365 Inbound Connector.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation New-InboundConnector or Set-InboundConnector. Connectors are used for enabling mail flow between Microsoft 365 and email servers that you have in your on-premise environment. Attackers may create a new connector to send spam or phishing emails.

Triage and response

  1. Inspect the @Parameters.SenderIPAddresses attribute to determine if the IP addresses match known ranges.
  2. Determine if there is a legitimate use case for the Inbound Connector by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the Inbound Connector:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.