LoFP LoFP / short rule names may trigger false positives. adjust the entropy and length thresholds as needed.

Techniques

Sample rules

O365 BEC Email Hiding Rule Created

Description

This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account.

Detection logic

`o365_management_activity` Workload=Exchange Operation="New-InboxRule" 
| stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user 
| lookup ut_shannon_lookup word as Name 
| eval entropy_score=if(ut_shannon<=2, 1, 0) 
| eval len_score=if(len(Name)<=3, 1,0) 
| eval read_score=if(MarkAsRead="True", 1, 0) 
| eval folder_score=if(match(MoveToFolder, "^(RSS
|Conversation History
|Archive)"), 1, 0) 
| eval suspicious_score=entropy_score+len_score+read_score+folder_score 
| where suspicious_score>2 
| `o365_bec_email_hiding_rule_created_filter`