Microsoft 365 Exchange junk email settings modified by a suspicious VPN

microsoft-365

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1564-hide-artifacts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when the Exchange junk email settings have been modified by a suspicious VPN.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation Set-MailboxJunkEmailConfiguration. Attackers who have gained unauthorized access to a victim’s account may modify junk email settings to redirect incoming emails. This technique could be used by an attacker to avoid detections focussing on email inbox rules.

Triage and response

  1. Identify any additional unusual behaviors:
    • Previous failed logins.
    • Unexpected VPN usage.
    • Unusual user agent.
  2. Contact the user {{@usr.email}} to determine if they made the change to the junk email configuration.
  3. If {{@usr.email}} is not aware of the activity:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.