Suspicious Inbox Manipulation Rules

Aug 12, 2024 · attack.t1140 attack.defense-evasion ·

Detects suspicious rules that delete or move messages or folders are set on a user's inbox.

Sigma rule (View on GitHub)

 1title: Suspicious Inbox Manipulation Rules
 2id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
 3status: test
 4description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
 7    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 9date: 2023-09-03
10tags:
11    - attack.t1140
12    - attack.defense-evasion
13logsource:
14    product: azure
15    service: riskdetection
16detection:
17    selection:
18        riskEventType: 'mcasSuspiciousInboxManipulationRules'
19    condition: selection
20falsepositives:
21    - Actual mailbox rules that are moving items based on their workflow.
22level: high

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Explaining risk detections in Microsoft Entra ID Protection

Read More
Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Suspicious Inbox Manipulation Rules

Sigma rule (View on GitHub)

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules