Microsoft 365 Inbound Connector added or modified

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user adds or modifies a Microsoft 365 Inbound Connector.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation New-InboundConnector or Set-InboundConnector. Connectors are used for enabling mail flow between Microsoft 365 and email servers that you have in your on-premise environment. Attackers may create a new connector to send spam or phishing emails.

Triage and response

  1. Inspect the @Parameters.SenderIPAddresses attribute to determine if the IP addresses match known ranges.
  2. Determine if there is a legitimate use case for the Inbound Connector by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the Inbound Connector:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.