{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1140/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["attack.stealth","attack.t1140"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can create inbox manipulation rules in cloud email environments like Microsoft 365 to hide their activity, exfiltrate data, or conduct further phishing attacks. These rules automatically delete, move, or forward emails based on sender, subject, or keywords. This can be used to hide evidence of a compromised account, or to intercept communications for Business Email Compromise (BEC). The \u003ccode\u003emcasSuspiciousInboxManipulationRules\u003c/code\u003e risk event type in Azure Identity Protection flags such suspicious rules, allowing defenders to proactively identify and remediate compromised accounts. This detection focuses on unusual mailbox rule activity indicative of malicious intent, rather than legitimate business workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a user\u0026rsquo;s Azure account, potentially through credential theft or phishing (T1140).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the user\u0026rsquo;s Microsoft 365 account.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new inbox rule or modifies an existing one using the Exchange admin center, PowerShell, or the Microsoft Graph API.\u003c/li\u003e\n\u003cli\u003eThe rule is configured to automatically delete emails containing specific keywords related to financial transactions or security alerts (T1566).\u003c/li\u003e\n\u003cli\u003eAlternatively, the rule might forward all emails from specific internal addresses to an external account controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the manipulated inbox to conceal their activities, such as unauthorized financial transactions or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe legitimate user remains unaware of the attacker\u0026rsquo;s actions due to the automatic deletion or redirection of relevant emails.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the inbox rule remains active and undetected, allowing for continued unauthorized access and activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to conceal malicious activity within the compromised account, intercept sensitive information, and maintain persistence. This can lead to significant financial losses due to BEC, data breaches, and reputational damage. Undetected inbox manipulation can also hinder incident response efforts by preventing security teams from identifying and containing the attack in a timely manner.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Inbox Manipulation Rules\u0026rdquo; to your SIEM and tune the \u003ccode\u003efalsepositives\u003c/code\u003e list with known good inbox rule behaviors in your organization.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts by examining the details of the created/modified inbox rules, focusing on their conditions and actions.\u003c/li\u003e\n\u003cli\u003eReview user sign-in logs for unusual activity preceding the creation of suspicious inbox rules, as described in the Microsoft documentation (\u003ca href=\"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins)\"\u003ehttps://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins)\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:30:00Z","date_published":"2024-01-02T14:30:00Z","id":"/briefs/2024-01-suspicious-inbox-rules/","summary":"This brief focuses on detecting malicious inbox manipulation rules set within a user's Azure environment, often indicative of account compromise or insider threats aiming to conceal illicit activities.","title":"Detection of Suspicious Inbox Manipulation Rules in Azure","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-inbox-rules/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1140","version":"https://jsonfeed.org/version/1.1"}