[New Rule] Suspicious New-InboxRule

Question

[New Rule] Suspicious New-InboxRule

jamietlee opened this issue 3 months ago · comments

Description

Currently, an O365 rule exists to detect the creation of an Inbox Rule that forwards or redirects mail.
We have had multiple incidents related to Inbox Rule creations that have not been detected by this rule. I am proposing a new rule to detect Inbox Rules that move mail items to 'Deleted Items' or 'RSS Feeds', this a common tactic used by malicious actors.

It is common for users to create rules to delete mail. To overcome this, two rules could be created rather than one. One for moving to RSS Feeds, and the other for mail deletion. This will enable organisations to disable a rule if not applicable to them without losing functionality of the other.

The current rule:
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml

Required Info

Target indexes

logs-o365*

Platforms

Microsoft 365

Optional Info

Query (option 1 - single rule)

event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and ((o365.audit.Parameters.MoveToFolder : "RSS Feeds" or o365.audit.Parameters.MoveToFolder : "Deleted Items") or o365.audit.Parameters.DeleteMessage : "True")

Query (option 2 - separate rules)

event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "RSS Feeds")

&

event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "Deleted Items" or o365.audit.Parameters.DeleteMessage : "True")

New fields required in ECS/data sources for this rule?

No

Related issues or PRs

False Positive's

Common for users to set up rules to delete mail triggering false positives.

MITRE

ATTACK TACTIC

Collection, Exfiltration

ATTACK TECHNIQUE

Email Collection: https://attack.mitre.org/techniques/T1114/
- Email Forwarding Rule: https://attack.mitre.org/techniques/T1114/003/
Hide Artifacts: https://attack.mitre.org/techniques/T1564/
- Email Hiding Rules: https://attack.mitre.org/techniques/T1564/008/

References

https://blog.barracuda.com/2023/09/20/threat-spotlight-attackers-inbox-rules-evade-detection

Example Data

botelastic · Answer 1 · Sun Apr 14 2024 11:13:23 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.