Microsoft 365 Exchange inbox rule name associated with business email compromise attacks

microsoft-365

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1564-hide-artifacts

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user configures an inbox rule with a name commonly associated with business email compromises.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for the operation New-InboxRule or Set-InboxRule. Attackers might set up email rules to hide incoming emails in a compromised user mailbox to hide their activities or maintain access to the victim’s inbox. Attackers may use simple names like . or ... for their malicious inbox rules, which are uncommon in most environments.

Triage and response

  1. Inspect the inbox rule for any indicators:
    • Suspicious keywords in the filter.
    • The rule name.
  2. Determine if there is a legitimate use case for the inbox rule by contacting the user {{@usr.email}}.
  3. If {{@usr.email}} is not aware of the inbox rule:
    • Investigate other activities performed by the user {{@usr.email}} using the Cloud SIEM - User Investigation dashboard.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 1 July 2024 - Updated rule query.
  • 23 July 2024 - Updated rule query.
PREVIEWING: may/unit-testing