Microsoft 365 Exchange inbox rule name associated with business email compromise attacks

microsoft-365

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1564-hide-artifacts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a user configures an inbox rule with a name commonly associated with business email compromises.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation New-InboxRule or Set-InboxRule. Attackers might set up email rules to hide incoming emails in a compromised user mailbox to hide their activities or maintain access to the victim’s inbox. Attackers may use simple names like . or ... for their malicious inbox rules, which are uncommon in most environments.

Triage and response

  1. Inspect the inbox rule for any indicators:
    • Suspicious keywords in the filter.
    • The rule name.
  2. Determine if there is a legitimate use case for the inbox rule by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the inbox rule:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 1 July 2024 - Updated rule query.
  • 23 July 2024 - Updated rule query.