[New Rule] Suspicious New-InboxRule
jamietlee opened this issue · comments
Description
Currently, an O365 rule exists to detect the creation of an Inbox Rule that forwards or redirects mail.
We have had multiple incidents related to Inbox Rule creations that have not been detected by this rule. I am proposing a new rule to detect Inbox Rules that move mail items to 'Deleted Items' or 'RSS Feeds', this a common tactic used by malicious actors.
It is common for users to create rules to delete mail. To overcome this, two rules could be created rather than one. One for moving to RSS Feeds, and the other for mail deletion. This will enable organisations to disable a rule if not applicable to them without losing functionality of the other.
The current rule:
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
Required Info
Target indexes
logs-o365*
Platforms
Microsoft 365
Optional Info
Query (option 1 - single rule)
event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and ((o365.audit.Parameters.MoveToFolder : "RSS Feeds" or o365.audit.Parameters.MoveToFolder : "Deleted Items") or o365.audit.Parameters.DeleteMessage : "True")
Query (option 2 - separate rules)
event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "RSS Feeds")
&
event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "Deleted Items" or o365.audit.Parameters.DeleteMessage : "True")
New fields required in ECS/data sources for this rule?
No
Related issues or PRs
False Positive's
- Common for users to set up rules to delete mail triggering false positives.
MITRE
ATTACK TACTIC
Collection, Exfiltration
ATTACK TECHNIQUE
-
Email Collection: https://attack.mitre.org/techniques/T1114/
- Email Forwarding Rule: https://attack.mitre.org/techniques/T1114/003/
-
Hide Artifacts: https://attack.mitre.org/techniques/T1564/
- Email Hiding Rules: https://attack.mitre.org/techniques/T1564/008/
References
https://blog.barracuda.com/2023/09/20/threat-spotlight-attackers-inbox-rules-evade-detection
Example Data
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.