Email Forwarding Rule - Suspicious Forwarding Criteria
Detects the creation of email forwarding rules with suspicious strings indicating forwarding criteria meant to steal sensitive information. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Email Forwarding Rule - Suspicious Forwarding Criteria
2id: 7315f2c5-892c-4c18-bda4-b788ef9219a2
3status: experimental
4description: |
5 Detects the creation of email forwarding rules with suspicious strings indicating
6 forwarding criteria meant to steal sensitive information. Part of the RedCanary
7 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/email-forwarding-rule/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.collection
14 - attack.t1114
15 - attack.t1114.003
16logsource:
17 service: exchange
18 product: m365
19detection:
20 selection:
21 Workload: 'Exchange'
22 Operation:
23 - 'New-InboxRule'
24 - 'Set-InboxRule'
25 Parameters|contains:
26 - 'ACH'
27 - 'Invoice'
28 - 'Payroll'
29 - 'Password Reset'
30 - 'Login code'
31 condition: selection
32falsepositives:
33 - Unknown
34level: low```
References
-
Adversaries routinely create email forwarding rules in compromised email accounts to surreptitiously collect sensitive information.
Read More
Related rules
- Email Forwarding Rule - Suspicious Folders
- Email Forwarding Rule - Suspicious Rule Names
- Exchange PowerShell Snap-Ins Usage
- PST Export Alert Using New-ComplianceSearchAction
- PST Export Alert Using eDiscovery Alert