Techniques
Sample rules
O365 Email Receive and Hard Delete Takeover Behavior
- source: splunk
- technicques:
- T1070.008
- T1485
- T1114.001
Description
The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.
Detection logic
`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
| eval mailtime = _time
| bin _time span=4hr
| eval user = lower(RecipientAddress)
| eval InternetMessageId = lower(MessageId)
| join InternetMessageId, user max=0
[
| search `o365_management_activity` Workload=Exchange Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")
| spath path=AffectedItems{} output=AffectedItemSplit
| fields _time,ClientProcessName,ClientIPAddress,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit,Folder.Path
| mvexpand AffectedItemSplit
| spath input=AffectedItemSplit
| search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
| eval deltime = _time
| bin _time span=4hr
| eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject
]
| stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_receive_and_hard_delete_takeover_behavior_filter`