Email Forwarding Rule - Suspicious Rule Names

Mar 26, 2024 · attack.collection attack.t1114 attack.t1114.003 ·

Detects the creation of email forwarding rules with suspicious names. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Email Forwarding Rule - Suspicious Rule Names
 2id: 47ea2a13-f863-4403-a672-00b3d940ac92
 3status: experimental
 4description: |
 5    Detects the creation of email forwarding rules with suspicious names. Part of the 
 6    RedCanary 2024 Threat Detection Report.    
 7references:
 8    - https://redcanary.com/threat-detection-report/techniques/email-forwarding-rule/
 9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2024/03/21
11tags:
12    - attack.collection
13    - attack.t1114
14    - attack.t1114.003
15logsource:
16    service: exchange
17    product: m365
18detection:
19    selection_rule:
20        Workload: 'Exchange'
21        Operation:
22            - 'New-InboxRule'
23            - 'Set-InboxRule'
24    selection_onechar:
25        RuleName|re: '^\w{1}$'
26    selection_susp_vals:
27        RuleName:
28            - '.'
29            - '..'
30            - 'aaaaa'
31            - '……'
32            - ';'
33    condition: selection_rule and (selection_onechar or selection_susp_vals)
34falsepositives:
35    - Unknown
36level: low```

References

Email Forwarding Rule - Red Canary Threat Detection Report

Adversaries routinely create email forwarding rules in compromised email accounts to surreptitiously collect sensitive information.

Read More

Email Forwarding Rule - Suspicious Rule Names

Sigma rule (View on GitHub)

References

Email Forwarding Rule - Red Canary Threat Detection Report

Related rules