Techniques
Sample rules
O365 BEC Email Hiding Rule Created
- source: splunk
- technicques:
- T1564.008
Description
This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account.
Detection logic
`o365_management_activity` Workload=Exchange Operation="New-InboxRule"
| stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user
| lookup ut_shannon_lookup word as Name
| eval entropy_score=if(ut_shannon<=2, 1, 0)
| eval len_score=if(len(Name)<=3, 1,0)
| eval read_score=if(MarkAsRead="True", 1, 0)
| eval folder_score=if(match(MoveToFolder, "^(RSS
|Conversation History
|Archive)"), 1, 0)
| eval suspicious_score=entropy_score+len_score+read_score+folder_score
| where suspicious_score>2
| `o365_bec_email_hiding_rule_created_filter`