{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/inbox-rule/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365"],"_cs_severities":["high"],"_cs_tags":["o365","inbox-rule","email","data-exfiltration","business-email-compromise"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently abuse Office 365 inbox rules to surreptitiously forward sensitive emails to external accounts, delete evidence of their presence, or redirect communications for business email compromise (BEC) campaigns. This analytic focuses on identifying anomalous creations or modifications of inbox rules through the 'New-InboxRule' and 'Set-InboxRule' operations. This activity is logged within the Office 365 Management Activity API. The detection specifically looks for rules that enable forwarding ('ForwardTo', 'ForwardAsAttachmentTo', 'RedirectTo'), deletion ('DeleteMessage', 'SoftDeleteMessage'), or moving/copying ('MoveToFolder', 'CopyToFolder') actions, as these are commonly used in malicious campaigns. Defenders should prioritize investigating new inbox rules configured with these actions, especially when coupled with suspicious source IP addresses or unusual user behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains access to a user's Office 365 account, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to Office 365 using the compromised account, generating authentication logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRule Creation/Modification:\u003c/strong\u003e The attacker uses the 'New-InboxRule' or 'Set-InboxRule' cmdlets via PowerShell or the Office 365 portal to create or modify an inbox rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eForwarding Rule Configuration:\u003c/strong\u003e The rule is configured to forward emails matching specific criteria (e.g., from specific senders, containing certain keywords) to an external email address controlled by the attacker using 'ForwardTo', 'ForwardAsAttachmentTo', or 'RedirectTo' parameters.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion/Obfuscation Rule Configuration:\u003c/strong\u003e Alternatively, the attacker configures the rule to delete or move specific emails to prevent the legitimate user from noticing suspicious activity using 'DeleteMessage', 'SoftDeleteMessage', 'MoveToFolder', or 'CopyToFolder' parameters.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Emails matching the rule's criteria are automatically forwarded to the attacker's external account, enabling data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker may delete logs or modify other settings to further obscure their activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eContinued Monitoring:\u003c/strong\u003e The attacker monitors the forwarded emails for valuable information, such as financial data, intellectual property, or sensitive communications, potentially leading to further attacks or extortion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of Office 365 inbox rules can lead to significant data breaches, financial losses, and reputational damage. Attackers can exfiltrate sensitive information, intercept financial transactions, and compromise confidential communications. Business Email Compromise (BEC) attacks frequently leverage this technique. Depending on the compromised account's role, the scope of the impact can range from individual data theft to enterprise-wide breaches, potentially affecting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor the Office 365 Management Activity API logs to capture 'New-InboxRule' and 'Set-InboxRule' events, as described in the overview section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your specific Office 365 environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, paying close attention to the user account, source IP address ('src' field in the Sigma rules), and the parameters used in the inbox rule creation/modification, focusing on the 'Parameters{}.Name' field.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Office 365 accounts to mitigate the risk of account compromise, which is a prerequisite for this attack.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of phishing and other social engineering techniques to prevent initial account compromise.\u003c/li\u003e\n\u003cli\u003eReview and audit existing inbox rules regularly to identify any suspicious or unauthorized configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-inbox-rule-creation/","summary":"This brief outlines the detection of malicious Office 365 inbox rule creation, where attackers leverage 'New-InboxRule' and 'Set-InboxRule' operations to forward, delete, or obfuscate emails, potentially leading to data exfiltration or business email compromise.","title":"Detection of Malicious Office 365 Inbox Rule Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-inbox-rule-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Exchange Online","Microsoft 365"],"_cs_severities":["medium"],"_cs_tags":["o365","exchange","inbox-rule","email-forwarding","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can exploit Microsoft 365 Exchange inbox rules to intercept and exfiltrate email data. The abuse involves creating forwarding rules that redirect emails to external, attacker-controlled addresses without proper authorization. This technique allows attackers to gain access to sensitive information without making organization-wide configuration changes or needing elevated privileges. The detection focuses on successful creation or modification events of inbox rules where forwarding parameters are set to external domains, as specified in the \u003ccode\u003eo365.audit.Parameters\u003c/code\u003e field. The scope includes any Microsoft 365 environment utilizing Exchange Online, providing a mechanism to detect and respond to potential business email compromise (BEC) attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to a legitimate user's Microsoft 365 account, potentially through phishing or credential compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRule Creation/Modification:\u003c/strong\u003e The attacker creates or modifies an inbox rule within the user's Exchange Online mailbox using \u003ccode\u003eNew-InboxRule\u003c/code\u003e or \u003ccode\u003eSet-InboxRule\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eForwarding Configuration:\u003c/strong\u003e The rule is configured to forward emails based on specific criteria (e.g., all emails, emails from specific senders) to an external email address via \u003ccode\u003eForwardTo\u003c/code\u003e, \u003ccode\u003eForwardAsAttachmentTo\u003c/code\u003e, \u003ccode\u003eForwardingAddress\u003c/code\u003e, \u003ccode\u003eForwardingSmtpAddress\u003c/code\u003e, or \u003ccode\u003eRedirectTo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The inbox rule remains active, automatically forwarding emails that meet the defined criteria to the attacker's address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Sensitive information is continuously exfiltrated as emails are forwarded to the external address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovert Operation:\u003c/strong\u003e The attacker may delete or hide the rule to avoid detection, although this detection focuses on the initial creation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data breaches, loss of sensitive information, and financial losses due to business email compromise. The impact can range from individual data leaks to compromise of intellectual property and confidential business communications. Without detection, attackers can maintain persistent access to sensitive email data, potentially impacting hundreds or thousands of mailboxes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;M365 Exchange Inbox Forwarding Rule Created\u0026quot; to your SIEM and tune for your environment to detect the creation of suspicious inbox rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the \u003ccode\u003eo365.audit.Parameters\u003c/code\u003e in the logs, focusing on the forwarding email addresses.\u003c/li\u003e\n\u003cli\u003eReview and update email security policies to restrict and monitor the creation of forwarding rules, as mentioned in the references.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all users to prevent unauthorized account access, reducing the risk of inbox rule manipulation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-m365-exchange-inbox-rule/","summary":"Detection of new Microsoft 365 Exchange inbox forwarding rules indicating potential unauthorized email interception and exfiltration by attackers.","title":"M365 Exchange Inbox Forwarding Rule Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-m365-exchange-inbox-rule/"}],"language":"en","title":"CraftedSignal Threat Feed - Inbox-Rule","version":"https://jsonfeed.org/version/1.1"}