Skip to content

Commit 10d1435

Browse files
0xC0FFEEEE0xC0FFEEEE
committed
Update detection name
1 parent 7e9f150 commit 10d1435

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

detections/cloud/o365_suspicious_mailbox_rule_created.yml renamed to detections/cloud/o365_bec_email_hiding_rule_created.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
1-
name: O365 Suspicious Mailbox Rule Created
1+
name: O365 BEC Email Hiding Rule Created
22
id: 603ebac2-f157-4df7-a6ac-34e8d0350f86
33
version: 1
44
date: '2025-02-14'
55
author: '0xC0FFEEEE, Github Community'
66
type: TTP
77
status: production
8-
description: This analytic detects suspicious mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers.
8+
description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers.
99
This may indicate that an attacker has gained access to the account.
1010
search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | rename Parameters{}.*
1111
as * | eval temp=mvzip(Name,Value, "<JOIN>") | fields - Name Value | mvexpand temp
@@ -15,7 +15,7 @@ search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule"
1515
| eval entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1,
1616
0) | eval read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder,
1717
"^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score
18-
| where suspicious_score>2 | `o365_suspicious_mailbox_rule_created_filter`'
18+
| where suspicious_score>2 | `o365_bec_email_hiding_rule_created_filter`'
1919
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest
2020
Office 365 management activity events. You also need to have the Splunk TA URL
2121
Toolbox (https://splunkbase.splunk.com/app/2734/) installed.
@@ -33,7 +33,7 @@ drilldown_searches:
3333
earliest_offset: $info_min_time$
3434
latest_offset: $info_max_time$
3535
rba:
36-
message: A suspicious mailbox rule was created by $user$
36+
message: Potential BEC mailbox rule was created by $user$
3737
risk_objects:
3838
- field: user
3939
type: user

0 commit comments

Comments
 (0)