Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Read More

This events that are generated when using the hacktool Ruler by Sensepost

Read More

Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

Read More

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Read More

Looking for new rules alone may generate too many false positives, so adding another check for commonly abused folders, suspicious criteria, and odd names will help filter out benign activity. RedCanary suggests looking for new inbox rules that move or copy emails to the following folders. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the creation of email forwarding rules with suspicious strings indicating forwarding criteria meant to steal sensitive information. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the creation of email forwarding rules with suspicious names. Part of the RedCanary 2024 Threat Detection Report.

Read More