<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Inbox-Rule - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/inbox-rule/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/inbox-rule/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detection of Malicious Office 365 Inbox Rule Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-o365-inbox-rule-creation/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-o365-inbox-rule-creation/</guid><description>This brief outlines the detection of malicious Office 365 inbox rule creation, where attackers leverage 'New-InboxRule' and 'Set-InboxRule' operations to forward, delete, or obfuscate emails, potentially leading to data exfiltration or business email compromise.</description><content:encoded><![CDATA[<p>Attackers frequently abuse Office 365 inbox rules to surreptitiously forward sensitive emails to external accounts, delete evidence of their presence, or redirect communications for business email compromise (BEC) campaigns. This analytic focuses on identifying anomalous creations or modifications of inbox rules through the 'New-InboxRule' and 'Set-InboxRule' operations. This activity is logged within the Office 365 Management Activity API. The detection specifically looks for rules that enable forwarding ('ForwardTo', 'ForwardAsAttachmentTo', 'RedirectTo'), deletion ('DeleteMessage', 'SoftDeleteMessage'), or moving/copying ('MoveToFolder', 'CopyToFolder') actions, as these are commonly used in malicious campaigns. Defenders should prioritize investigating new inbox rules configured with these actions, especially when coupled with suspicious source IP addresses or unusual user behavior.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> The attacker gains access to a user's Office 365 account, potentially through phishing, credential stuffing, or other means.</li>
<li><strong>Authentication:</strong> The attacker authenticates to Office 365 using the compromised account, generating authentication logs.</li>
<li><strong>Rule Creation/Modification:</strong> The attacker uses the 'New-InboxRule' or 'Set-InboxRule' cmdlets via PowerShell or the Office 365 portal to create or modify an inbox rule.</li>
<li><strong>Forwarding Rule Configuration:</strong> The rule is configured to forward emails matching specific criteria (e.g., from specific senders, containing certain keywords) to an external email address controlled by the attacker using 'ForwardTo', 'ForwardAsAttachmentTo', or 'RedirectTo' parameters.</li>
<li><strong>Deletion/Obfuscation Rule Configuration:</strong> Alternatively, the attacker configures the rule to delete or move specific emails to prevent the legitimate user from noticing suspicious activity using 'DeleteMessage', 'SoftDeleteMessage', 'MoveToFolder', or 'CopyToFolder' parameters.</li>
<li><strong>Data Exfiltration:</strong> Emails matching the rule's criteria are automatically forwarded to the attacker's external account, enabling data exfiltration.</li>
<li><strong>Covering Tracks:</strong> The attacker may delete logs or modify other settings to further obscure their activity.</li>
<li><strong>Continued Monitoring:</strong> The attacker monitors the forwarded emails for valuable information, such as financial data, intellectual property, or sensitive communications, potentially leading to further attacks or extortion.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of Office 365 inbox rules can lead to significant data breaches, financial losses, and reputational damage. Attackers can exfiltrate sensitive information, intercept financial transactions, and compromise confidential communications. Business Email Compromise (BEC) attacks frequently leverage this technique. Depending on the compromised account's role, the scope of the impact can range from individual data theft to enterprise-wide breaches, potentially affecting thousands of users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and monitor the Office 365 Management Activity API logs to capture 'New-InboxRule' and 'Set-InboxRule' events, as described in the overview section.</li>
<li>Deploy the Sigma rules provided in this brief to your SIEM and tune them for your specific Office 365 environment.</li>
<li>Investigate any alerts generated by these rules, paying close attention to the user account, source IP address ('src' field in the Sigma rules), and the parameters used in the inbox rule creation/modification, focusing on the 'Parameters{}.Name' field.</li>
<li>Implement multi-factor authentication (MFA) for all Office 365 accounts to mitigate the risk of account compromise, which is a prerequisite for this attack.</li>
<li>Educate users on the risks of phishing and other social engineering techniques to prevent initial account compromise.</li>
<li>Review and audit existing inbox rules regularly to identify any suspicious or unauthorized configurations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>o365</category><category>inbox-rule</category><category>email</category><category>data-exfiltration</category><category>business-email-compromise</category></item><item><title>M365 Exchange Inbox Forwarding Rule Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-m365-exchange-inbox-rule/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-m365-exchange-inbox-rule/</guid><description>Detection of new Microsoft 365 Exchange inbox forwarding rules indicating potential unauthorized email interception and exfiltration by attackers.</description><content:encoded><![CDATA[<p>Attackers can exploit Microsoft 365 Exchange inbox rules to intercept and exfiltrate email data. The abuse involves creating forwarding rules that redirect emails to external, attacker-controlled addresses without proper authorization. This technique allows attackers to gain access to sensitive information without making organization-wide configuration changes or needing elevated privileges. The detection focuses on successful creation or modification events of inbox rules where forwarding parameters are set to external domains, as specified in the <code>o365.audit.Parameters</code> field. The scope includes any Microsoft 365 environment utilizing Exchange Online, providing a mechanism to detect and respond to potential business email compromise (BEC) attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains access to a legitimate user's Microsoft 365 account, potentially through phishing or credential compromise.</li>
<li><strong>Rule Creation/Modification:</strong> The attacker creates or modifies an inbox rule within the user's Exchange Online mailbox using <code>New-InboxRule</code> or <code>Set-InboxRule</code>.</li>
<li><strong>Forwarding Configuration:</strong> The rule is configured to forward emails based on specific criteria (e.g., all emails, emails from specific senders) to an external email address via <code>ForwardTo</code>, <code>ForwardAsAttachmentTo</code>, <code>ForwardingAddress</code>, <code>ForwardingSmtpAddress</code>, or <code>RedirectTo</code>.</li>
<li><strong>Persistence:</strong> The inbox rule remains active, automatically forwarding emails that meet the defined criteria to the attacker's address.</li>
<li><strong>Data Exfiltration:</strong> Sensitive information is continuously exfiltrated as emails are forwarded to the external address.</li>
<li><strong>Covert Operation:</strong> The attacker may delete or hide the rule to avoid detection, although this detection focuses on the initial creation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to significant data breaches, loss of sensitive information, and financial losses due to business email compromise. The impact can range from individual data leaks to compromise of intellectual property and confidential business communications. Without detection, attackers can maintain persistent access to sensitive email data, potentially impacting hundreds or thousands of mailboxes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;M365 Exchange Inbox Forwarding Rule Created&quot; to your SIEM and tune for your environment to detect the creation of suspicious inbox rules.</li>
<li>Investigate any alerts generated by the Sigma rule by reviewing the <code>o365.audit.Parameters</code> in the logs, focusing on the forwarding email addresses.</li>
<li>Review and update email security policies to restrict and monitor the creation of forwarding rules, as mentioned in the references.</li>
<li>Enable multi-factor authentication (MFA) for all users to prevent unauthorized account access, reducing the risk of inbox rule manipulation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>o365</category><category>exchange</category><category>inbox-rule</category><category>email-forwarding</category><category>data-exfiltration</category></item></channel></rss>