{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mailboxrule/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Splunk TA URL Toolbox"],"_cs_severities":["high"],"_cs_tags":["bec","o365","email","mailboxrule","splunk","threat-hunting"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eBusiness Email Compromise (BEC) attacks often involve creating mailbox rules to hide evidence of the intrusion or to further the attacker\u0026rsquo;s objectives. Attackers leverage these rules to automatically move, delete, or mark emails as read, effectively concealing their activities from the compromised user. This analytic detects the creation of such suspicious rules in Office 365 by using a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. A high score, based on factors like short or nonsensical rule names, marking emails as read, or moving them to specific folders (RSS, Conversation History, Archive), indicates a potential compromise and account takeover. The detection logic focuses on \u0026ldquo;New-InboxRule\u0026rdquo; and \u0026ldquo;Set-InboxRule\u0026rdquo; operations within the Exchange workload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains unauthorized access to an Office 365 account, typically through phishing, credential stuffing, or password spraying.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRule Enumeration (Optional):\u003c/strong\u003e The attacker may enumerate existing inbox rules to understand the current configuration and avoid detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuspicious Rule Creation:\u003c/strong\u003e The attacker creates a new inbox rule or modifies an existing one using \u003ccode\u003eNew-InboxRule\u003c/code\u003e or \u003ccode\u003eSet-InboxRule\u003c/code\u003e operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRule Obfuscation:\u003c/strong\u003e The attacker assigns the rule a short, generic, or nonsensical name to avoid suspicion. Low entropy names are preferred.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHiding Actions:\u003c/strong\u003e The rule is configured to automatically move incoming emails to less-frequented folders like \u0026ldquo;RSS,\u0026rdquo; \u0026ldquo;Conversation History,\u0026rdquo; or \u0026ldquo;Archive\u0026rdquo; using the \u003ccode\u003eMoveToFolder\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMark as Read:\u003c/strong\u003e The rule is configured to mark emails as read using the \u003ccode\u003eMarkAsRead\u003c/code\u003e action, preventing the user from noticing their arrival.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Fraud:\u003c/strong\u003e With the mailbox effectively silenced, the attacker can proceed with their primary objective, such as exfiltrating sensitive information or conducting fraudulent activities without the user\u0026rsquo;s immediate awareness.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker maintains access and control over the compromised account by ensuring the malicious inbox rule remains active.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BEC attack can result in significant financial loss, data breaches, and reputational damage. Attackers may use compromised email accounts to conduct fraudulent transactions, steal sensitive information, or launch further attacks against other employees or external organizations. The impact can range from individual financial loss to large-scale data breaches affecting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events to enable the base search (\u003ccode\u003eo365_management_activity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInstall the Splunk TA URL Toolbox (\u003ca href=\"https://splunkbase.splunk.com/app/2734/\"\u003ehttps://splunkbase.splunk.com/app/2734/\u003c/a\u003e) to perform entropy calculations.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the \u003ccode\u003esuspicious_score\u003c/code\u003e threshold based on your environment and observed false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on users with multiple suspicious rule creations.\u003c/li\u003e\n\u003cli\u003eReview the O365 BEC Email Hiding Rule Created filter macro (\u003ccode\u003eo365_bec_email_hiding_rule_created_filter\u003c/code\u003e) and adjust it to exclude legitimate rule creation activity in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for inbox rules with names identified by the lookup table \u003ccode\u003eut_shannon_lookup\u003c/code\u003e with a higher than normal frequency.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:44:17Z","date_published":"2026-05-28T17:44:17Z","id":"https://feed.craftedsignal.io/briefs/2026-05-o365-bec-email-hiding-rule/","summary":"This analytic detects the creation of suspicious mailbox rules in Office 365, a common technique used in Business Email Compromise (BEC) to hide emails by identifying rules with short or nonsensical names, marking emails as read, or moving them to specific folders.","title":"O365 BEC Email Hiding Rule Creation","url":"https://feed.craftedsignal.io/briefs/2026-05-o365-bec-email-hiding-rule/"}],"language":"en","title":"CraftedSignal Threat Feed — Mailboxrule","version":"https://jsonfeed.org/version/1.1"}