Microsoft 365 Exchange inbox rule name associated with business email compromise attacks
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a user configures an inbox rule with a name commonly associated with business email compromises.
Strategy
Monitor Microsoft 365 Exchange audit logs to look for the operation New-InboxRule
or Set-InboxRule
. Attackers might set up email rules to hide incoming emails in a compromised user mailbox to hide their activities or maintain access to the victim’s inbox. Attackers may use simple names like .
or ...
for their malicious inbox rules, which are uncommon in most environments.
Triage and response
- Inspect the inbox rule for any indicators:
- Suspicious keywords in the filter.
- The rule name.
- Determine if there is a legitimate use case for the inbox rule by contacting the user
{{@usr.email}}
. - If
{{@usr.email}}
is not aware of the inbox rule:- Investigate other activities performed by the user
{{@usr.email}}
using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.
Changelog
- 1 July 2024 - Updated rule query.
- 23 July 2024 - Updated rule query.