Techniques
Sample rules
O365 New Email Forwarding Rule Created
- source: splunk
- technicques:
- T1114
- T1114.003
Description
This detection is crafted to monitor and identify the creation of new email forwarding rules in an Office 365 environment. It specifically targets events logged under New-InboxRule and Set-InboxRule operations within o365_management_activity, indicating the establishment or modification of inbox rules that forward emails. The detection checks for the presence of parameters such as ForwardTo, ForwardAsAttachmentTo, and RedirectTo, which are key indicators of email forwarding behavior.
Detection logic
`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule)
| eval match1=mvfind('Parameters{}.Name', "ForwardTo")
| eval match2=mvfind('Parameters{}.Name', "ForwardAsAttachmentTo")
| eval match3=mvfind('Parameters{}.Name', "RedirectTo")
| where match1>= 0 OR match2>= 0 OR match3>= 0
| eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo)
| stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_email_forwarding_rule_created_filter`
O365 New Email Forwarding Rule Enabled
- source: splunk
- technicques:
- T1114
- T1114.003
Description
This detection aims to identify instances where new email forwarding rules are created through the UpdateInboxRules operation within an Office 365 environment. Despite the operation name suggesting an update, this specific scenario involves the addition of new rules that direct emails to external recipients, captured under the ForwardToRecipientsAction. The analytic examines the OperationProperties to extract and validate forwarding addresses, ensuring they adhere to the expected email format.
Detection logic
`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules
| eval match1=mvfind('OperationProperties{}.Value', "ForwardToRecipientsAction")
| eval match2=mvfind('OperationProperties{}.Value', "ForwardAsAttachmentToRecipientsAction")
| eval match3=mvfind('OperationProperties{}.Value', "RedirectToRecipientsAction")
| eval index = mvfind('OperationProperties{}.Name', "ServerRule")
| where match1>= 0 OR match2>= 0 OR match3>= 0
| eval ServerRule = mvindex('OperationProperties{}.Value', index-1)
| spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted
| mvexpand valueExtracted
| search valueExtracted="*@*.*"
| eval ForwardTo=if(match(valueExtracted, "^[^@]+@[^@]+\\.[^@]+$"), valueExtracted, null)
| dedup ForwardTo
| where isnotnull(ForwardTo)
| stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_email_forwarding_rule_enabled_filter`