Email Forwarding Rule - Suspicious Folders

calendar Mar 26, 2024 · attack.collection attack.t1114 attack.t1114.003  ·
Share on: linkedin copy

Looking for new rules alone may generate too many false positives, so adding another check for commonly abused folders, suspicious criteria, and odd names will help filter out benign activity. RedCanary suggests looking for new inbox rules that move or copy emails to the following folders. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Email Forwarding Rule - Suspicious Folders
 2id: f1595374-3a4a-4b40-aef5-0d854e043a14
 3status: experimental
 4description: |
 5    Looking for new rules alone may generate too many false positives, so adding another 
 6    check for commonly abused folders, suspicious criteria, and odd names will help 
 7    filter out benign activity. RedCanary suggests looking for new inbox rules that move or 
 8    copy emails to the following folders. Part of the RedCanary 2024 Threat Detection Report.    
 9references:
10    - https://redcanary.com/threat-detection-report/techniques/email-forwarding-rule/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14    - attack.collection
15    - attack.t1114
16    - attack.t1114.003
17logsource:
18    service: exchange
19    product: m365
20detection:
21    selection1:
22        Workload: 'Exchange'
23        Operation:
24            - 'New-InboxRule'
25            - 'Set-InboxRule'
26        Parameters|contains: 'MoveToFolder'
27    selection2:
28        Parameters|contains:
29            - 'RSS Feeds'
30            - 'RSS Subscriptions'
31            - 'Archive'
32            - 'Deleted Items'
33            - 'Conversation History'
34    condition: all of selection*
35falsepositives:
36    - Unknown
37level: low```

References

Related rules

to-top