Email Forwarding Rule - Suspicious Forwarding Criteria

Mar 26, 2024 · attack.collection attack.t1114 attack.t1114.003 ·

Detects the creation of email forwarding rules with suspicious strings indicating forwarding criteria meant to steal sensitive information. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Email Forwarding Rule - Suspicious Forwarding Criteria
 2id: 7315f2c5-892c-4c18-bda4-b788ef9219a2
 3status: experimental
 4description: |
 5    Detects the creation of email forwarding rules with suspicious strings indicating
 6    forwarding criteria meant to steal sensitive information. Part of the RedCanary 
 7    2024 Threat Detection Report.    
 8references:
 9    - https://redcanary.com/threat-detection-report/techniques/email-forwarding-rule/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13    - attack.collection
14    - attack.t1114
15    - attack.t1114.003
16logsource:
17    service: exchange
18    product: m365
19detection:
20    selection:
21        Workload: 'Exchange'
22        Operation:
23            - 'New-InboxRule'
24            - 'Set-InboxRule'
25        Parameters|contains:
26            - 'ACH'
27            - 'Invoice'
28            - 'Payroll'
29            - 'Password Reset'
30            - 'Login code'
31    condition: selection
32falsepositives:
33    - Unknown
34level: low```

References

Email Forwarding Rule - Red Canary Threat Detection Report

Adversaries routinely create email forwarding rules in compromised email accounts to surreptitiously collect sensitive information.

Read More

Email Forwarding Rule - Suspicious Forwarding Criteria

Sigma rule (View on GitHub)

References

Email Forwarding Rule - Red Canary Threat Detection Report

Related rules