O365 BEC Email Hiding Rule Creation

Business Email Compromise (BEC) attacks often involve creating mailbox rules to hide evidence of the intrusion or to further the attacker’s objectives. Attackers leverage these rules to automatically move, delete, or mark emails as read, effectively concealing their activities from the compromised user. This analytic detects the creation of such suspicious rules in Office 365 by using a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. A high score, based on factors like short or nonsensical rule names, marking emails as read, or moving them to specific folders (RSS, Conversation History, Archive), indicates a potential compromise and account takeover. The detection logic focuses on “New-InboxRule” and “Set-InboxRule” operations within the Exchange workload.

Attack Chain

1. Initial Access: The attacker gains unauthorized access to an Office 365 account, typically through phishing, credential stuffing, or password spraying.
2. Rule Enumeration (Optional): The attacker may enumerate existing inbox rules to understand the current configuration and avoid detection.
3. Suspicious Rule Creation: The attacker creates a new inbox rule or modifies an existing one using New-InboxRule or Set-InboxRule operations.
4. Rule Obfuscation: The attacker assigns the rule a short, generic, or nonsensical name to avoid suspicion. Low entropy names are preferred.
5. Hiding Actions: The rule is configured to automatically move incoming emails to less-frequented folders like “RSS,” “Conversation History,” or “Archive” using the MoveToFolder action.
6. Mark as Read: The rule is configured to mark emails as read using the MarkAsRead action, preventing the user from noticing their arrival.
7. Data Exfiltration/Fraud: With the mailbox effectively silenced, the attacker can proceed with their primary objective, such as exfiltrating sensitive information or conducting fraudulent activities without the user’s immediate awareness.
8. Persistence: The attacker maintains access and control over the compromised account by ensuring the malicious inbox rule remains active.

Impact

A successful BEC attack can result in significant financial loss, data breaches, and reputational damage. Attackers may use compromised email accounts to conduct fraudulent transactions, steal sensitive information, or launch further attacks against other employees or external organizations. The impact can range from individual financial loss to large-scale data breaches affecting thousands of users.

Recommendation

• Install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events to enable the base search (o365_management_activity).
• Install the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) to perform entropy calculations.
• Deploy the provided Sigma rule to your SIEM and tune the suspicious_score threshold based on your environment and observed false positives.
• Investigate any alerts generated by the Sigma rule, focusing on users with multiple suspicious rule creations.
• Review the O365 BEC Email Hiding Rule Created filter macro (o365_bec_email_hiding_rule_created_filter) and adjust it to exclude legitimate rule creation activity in your environment.
• Monitor for inbox rules with names identified by the lookup table ut_shannon_lookup with a higher than normal frequency.