splunk · patel-bhavin · Mar 11, 2025 · Feb 14, 2025 · Feb 18, 2025 · Feb 19, 2025
diff --git a/detections/cloud/o365_suspicious_mailbox_rule_created.yml b/detections/cloud/o365_suspicious_mailbox_rule_created.yml
@@ -0,0 +1,57 @@
+name: O365 Suspicious Mailbox Rule Created
+id: 603ebac2-f157-4df7-a6ac-34e8d0350f86
+version: 1
+date: '2025-02-14'
+author: '0xC0FFEEEE, Github Community'
+type: TTP
+status: production
+description: This analytic detects suspicious mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers.
+  This may indicate that an attacker has gained access to the account.
+search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | rename Parameters{}.*
+  as * | eval temp=mvzip(Name,Value, "<JOIN>") | fields - Name Value | mvexpand temp
+  | eval temp_name=mvindex(split(temp,"<JOIN>"),0), temp_value=mvindex(split(temp,"<JOIN>"),1)
+  | eval {temp_name}=temp_value | stats values(Name) as Name, values(MarkAsRead) as
+  MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name
+  | eval entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1,
+  0) | eval read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder,
+  "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score
+  | where suspicious_score>2 | `o365_suspicious_mailbox_rule_created_filter`'
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest
+  Office 365 management activity events.
+known_false_positives: Short rule names may trigger false positives. Adjust
+  the entropy and length thresholds as needed.
+references:
+- https://attack.mitre.org/techniques/T1564/008/
+drilldown_searches:
+- name: View the detection results
+  search: '%original_detection_search%'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for $user$
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A suspicious mailbox rule was created by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
+tags:
+  analytic_story:
+  - Office 365 Account Takeover
+  asset_type: O365 Tenant
+  mitre_attack_id:
+  - T1564.008
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: audit
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
+    sourcetype: o365:management:activity
+    source: o365