Microsoft 365 Suspicious Email Delivery

This threat involves malicious or suspicious emails, as identified by Microsoft Defender for Office 365, being delivered to user mailboxes despite the existing security mechanisms. This can occur due to various factors, including misconfigured security policies, sophisticated attacker techniques that evade detection, or delayed signature updates. The delivery of such emails presents a significant risk, as they may contain spearphishing attachments, malicious links, or other harmful content designed to compromise user accounts or systems. Successful exploitation can lead to data theft, malware infection, and further propagation of the attack within the organization. It’s crucial to investigate these instances promptly to remediate any potential damage and improve email security posture.

Attack Chain

1. An attacker crafts a spearphishing email designed to bypass standard security filters.
2. The email is sent to a target user within the Microsoft 365 environment.
3. Microsoft Defender for Office 365 analyzes the email and identifies it as suspicious but fails to block delivery.
4. The email is delivered to the user’s Inbox or Junk folder.
5. The user opens the email and clicks on a malicious link or opens a malicious attachment (e.g., a macro-enabled document).
6. The link redirects the user to a credential harvesting site, or the attachment executes malicious code (e.g., via PowerShell).
7. The attacker gains access to the user’s account or system.
8. The attacker uses the compromised account to further propagate the attack, exfiltrate data, or deploy malware within the organization.

Impact

The impact of this threat can be significant. Successful exploitation can lead to the compromise of user accounts, data theft, malware infection, and financial loss. Organizations may experience business disruption, reputational damage, and legal liabilities. The number of affected users and the extent of the damage will depend on the attacker’s objectives and the organization’s security controls.

Recommendation

• Deploy the Sigma rule provided to detect suspicious email delivery events within your Microsoft 365 environment and tune for your specific environment.
• Investigate any alerts generated by the Sigma rule to determine the root cause of the bypass and remediate any potential damage.
• Review and adjust Microsoft Defender for Office 365 settings to improve detection accuracy and blocking capabilities.
• Educate users about the risks of phishing emails and encourage them to report suspicious messages.
• Monitor the TIMailData operation within the M365 audit logs for further analysis and threat hunting.