Microsoft 365 Exchange inbox rule name associated with business email compromise attacks
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a user configures an inbox rule with a name commonly associated with business email compromises.
Strategy
Monitor Microsoft 365 Exchange audit logs to look for the operation New-InboxRule or Set-InboxRule. Attackers might set up email rules to hide incoming emails in a compromised user mailbox to hide their activities or maintain access to the victim’s inbox. Attackers may use simple names like . or ... for their malicious inbox rules, which are uncommon in most environments.
Triage and response
- Inspect the inbox rule for any indicators:
- Suspicious keywords in the filter.
- The rule name.
- Determine if there is a legitimate use case for the inbox rule by contacting the user
{{@usr.email}}. - If
{{@usr.email}} is not aware of the inbox rule:- Investigate other activities performed by the user
{{@usr.email}} using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.
