Microsoft 365 Inbound Connector added or modified

microsoft-365

Classification:

attack

Goal

Detect when a user adds or modifies a Microsoft 365 Inbound Connector.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation New-InboundConnector or Set-InboundConnector. Connectors are used for enabling mail flow between Microsoft 365 and email servers that you have in your on-premise environment. Attackers may create a new connector to send spam or phishing emails.

Triage and response

  1. Inspect the @Parameters.SenderIPAddresses attribute to determine if the IP addresses match known ranges.
  2. Determine if there is a legitimate use case for the Inbound Connector by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the Inbound Connector:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.