Microsoft 365 Inbox Forwarding Rule Created

calendar Apr 2, 2024 · Domain: Cloud Data Source: Microsoft 365 Use Case: Configuration Audit Tactic: Collection  ·
Share on: linkedin copy

Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/03/29"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic", "Gary Blackwell", "Austin Songer"]
11description = """
12Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
13on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
14abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or
15having the corresponding privileges.
16"""
17false_positives = [
18    """
19    Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company
20    policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior.
21    """,
22]
23from = "now-30m"
24index = ["filebeat-*", "logs-o365*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Microsoft 365 Inbox Forwarding Rule Created"
28note = """## Setup
29
30The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
33    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
34    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
35    "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf",
36]
37risk_score = 47
38rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78"
39severity = "medium"
40tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:o365.audit and event.provider:Exchange and
46event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and
47    (
48        o365.audit.Parameters.ForwardTo:* or
49        o365.audit.Parameters.ForwardAsAttachmentTo:* or
50        o365.audit.Parameters.RedirectTo:*
51    )
52    and event.outcome:success
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1114"
60name = "Email Collection"
61reference = "https://attack.mitre.org/techniques/T1114/"
62[[rule.threat.technique.subtechnique]]
63id = "T1114.003"
64name = "Email Forwarding Rule"
65reference = "https://attack.mitre.org/techniques/T1114/003/"
66
67
68
69[rule.threat.tactic]
70id = "TA0009"
71name = "Collection"
72reference = "https://attack.mitre.org/tactics/TA0009/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • Responding to a Compromised Email Account - Microsoft Defender for Office 365

    Learn how to recognize and respond to a compromised email account using tools available in Microsoft 365.


    Read More

  • New-InboxRule (ExchangePowerShell)

    When you create, modify, remove, enable, or disable an Inbox rule in Exchange PowerShell, any client-side rules disabled by Microsoft Outlook and outbound rules are removed. Parameters that are used for conditions also have corresponding exception parameters. When conditions specified in an exception are matched, the rule isn't applied to the message. Exception parameters begin with ExceptIf. For example, the exception parameter for SubjectOrBodyContainsWords is ExceptIfSubjectOrBodyContainsWords. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.


    Read More

  • Detect and remediate the Outlook rules and custom forms injections attacks. - Microsoft Defender for Office 365

    Learn how to recognize and remediate the Outlook rules and custom forms injections attacks in Office 365


    Read More

  • %PDF-1.7 %µµµµ 1 0 obj /Metadata 264 0 R/ViewerPreferences 265 0 R>> endobj 2 0 obj endobj 3 0 obj /Font /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 960 540] /Contents 4 0 R/...


    Read More

Related rules

to-top