|
| 1 | +name: O365 Suspicious Mailbox Rule Created |
| 2 | +id: 603ebac2-f157-4df7-a6ac-34e8d0350f86 |
| 3 | +version: 1 |
| 4 | +date: '2025-02-14' |
| 5 | +author: 0xC0FFEEEE |
| 6 | +type: TTP |
| 7 | +status: production |
| 8 | +enabled_by_default: true |
| 9 | +description: This analytic detects suspicious mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. |
| 10 | + This may indicate that an attacker has gained access to the account. |
| 11 | +search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | rename Parameters{}.* |
| 12 | + as * | eval temp=mvzip(Name,Value, "<JOIN>") | fields - Name Value | mvexpand temp |
| 13 | + | eval temp_name=mvindex(split(temp,"<JOIN>"),0), temp_value=mvindex(split(temp,"<JOIN>"),1) |
| 14 | + | eval {temp_name}=temp_value | stats values(Name) as Name, values(MarkAsRead) as |
| 15 | + MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name |
| 16 | + | eval entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1, |
| 17 | + 0) | eval read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, |
| 18 | + "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score |
| 19 | + | where suspicious_score>2 | `o365_suspicious_mailbox_rule_created_filter`' |
| 20 | +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest |
| 21 | + Office 365 management activity events. |
| 22 | +known_false_positives: Short rule names may trigger false positives. Adjust |
| 23 | + the entropy and length thresholds as needed. |
| 24 | +references: |
| 25 | +- https://attack.mitre.org/techniques/T1564/008/ |
| 26 | +drilldown_searches: |
| 27 | +- name: View the detection results |
| 28 | + search: '%original_detection_search%' |
| 29 | + earliest_offset: $info_min_time$ |
| 30 | + latest_offset: $info_max_time$ |
| 31 | +- name: View risk events for the last 7 days for $user$ |
| 32 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 33 | + earliest_offset: $info_min_time$ |
| 34 | + latest_offset: $info_max_time$ |
| 35 | +rba: |
| 36 | + message: A suspicious mailbox rule was created by $user$ |
| 37 | + risk_objects: |
| 38 | + - field: user |
| 39 | + type: user |
| 40 | + score: 25 |
| 41 | +tags: |
| 42 | + analytic_story: |
| 43 | + - Office 365 Account Takeover |
| 44 | + asset_type: O365 Tenant |
| 45 | + mitre_attack_id: |
| 46 | + - T1564.008 |
| 47 | + product: |
| 48 | + - Splunk Enterprise |
| 49 | + - Splunk Enterprise Security |
| 50 | + - Splunk Cloud |
| 51 | + security_domain: audit |
| 52 | +tests: |
| 53 | +- name: True Positive Test |
| 54 | + attack_data: |
| 55 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log |
| 56 | + sourcetype: o365:management:activity |
| 57 | + source: o365 |
0 commit comments