|
| 1 | +name: O365 BEC Email Hiding Rule Created |
| 2 | +id: 603ebac2-f157-4df7-a6ac-34e8d0350f86 |
| 3 | +version: 1 |
| 4 | +date: '2025-02-14' |
| 5 | +author: '0xC0FFEEEE, Github Community' |
| 6 | +type: TTP |
| 7 | +status: production |
| 8 | +description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. |
| 9 | + This may indicate that an attacker has gained access to the account. |
| 10 | +search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | |
| 11 | + stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder) |
| 12 | + as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name | eval |
| 13 | + entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1,0) | eval |
| 14 | + read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, |
| 15 | + "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score |
| 16 | + | where suspicious_score>2 | `o365_bec_email_hiding_rule_created_filter`' |
| 17 | +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest |
| 18 | + Office 365 management activity events. You also need to have the Splunk TA URL |
| 19 | + Toolbox (https://splunkbase.splunk.com/app/2734/) installed. |
| 20 | +known_false_positives: Short rule names may trigger false positives. Adjust |
| 21 | + the entropy and length thresholds as needed. |
| 22 | +references: |
| 23 | +- https://attack.mitre.org/techniques/T1564/008/ |
| 24 | +drilldown_searches: |
| 25 | +- name: View the detection results for - "$user$" |
| 26 | + search: '%original_detection_search% | search dest = "$user$"' |
| 27 | + earliest_offset: $info_min_time$ |
| 28 | + latest_offset: $info_max_time$ |
| 29 | +- name: View risk events for the last 7 days for $user$ |
| 30 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 31 | + earliest_offset: $info_min_time$ |
| 32 | + latest_offset: $info_max_time$ |
| 33 | +rba: |
| 34 | + message: Potential BEC mailbox rule was created by $user$ |
| 35 | + risk_objects: |
| 36 | + - field: user |
| 37 | + type: user |
| 38 | + score: 25 |
| 39 | + threat_objects: |
| 40 | + - field: Name |
| 41 | + type: signature |
| 42 | +tags: |
| 43 | + analytic_story: |
| 44 | + - Office 365 Account Takeover |
| 45 | + asset_type: O365 Tenant |
| 46 | + mitre_attack_id: |
| 47 | + - T1564.008 |
| 48 | + product: |
| 49 | + - Splunk Enterprise |
| 50 | + - Splunk Enterprise Security |
| 51 | + - Splunk Cloud |
| 52 | + security_domain: audit |
| 53 | +tests: |
| 54 | +- name: True Positive Test |
| 55 | + attack_data: |
| 56 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log |
| 57 | + sourcetype: o365:management:activity |
| 58 | + source: o365 |
0 commit comments