LoFP
/
t1114
t1114
Title
Tags
administrators may create custom email routes in google workspace based on organizational policies, administrative preference or for security purposes regarding spam.
t1114
google_workspace
elastic
exporting a pst can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of pst content, it must be monitored.
t1114
m365
sigma
forwarding mail flow rules may be created for legitimate reasons, filter as needed.
t1114
o365 tenant
splunk
go utilities that use staaldraad awesome ntlm library
t1059
t1087
t1114
t1550
t1550.002
windows
sigma
legitimate exchange system administration activity.
t1005
t1059
t1098
t1114
windows
elastic
legitimate users may access a large number of mailbox items in a short period, especially in environments with high email volume or during data migrations. if this is expected behavior, consider adjusting the rule or adding exceptions for specific users or groups.
t1114
o365
elastic
pst export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
t1114
o365 tenant
splunk
user using a new mail client or mobile application to access their mailbox.
t1114
o365
elastic
users accessing their mailboxes using custom or third-party applications that are authorized by the organization, such as crm or erp systems.
t1114
o365
elastic
users accessing their mailboxes using first-party microsoft applications that are not typically used by the user, such as outlook on the web or outlook mobile app.
t1114
o365
elastic
users and administrators can create inbox rules for legitimate purposes. verify if it complies with the company policy and done with the user's consent. exceptions can be added to this rule to filter expected behavior.
t1114
o365
elastic
LoFP
/
t1114