detection-rules
detection-rules copied to clipboard
elastic
[New Rule] Suspicious New-InboxRule
Description
Currently, an O365 rule exists to detect the creation of an Inbox Rule that forwards or redirects mail. We have had multiple incidents related to Inbox Rule creations that have not been detected by this rule. I am proposing a new rule to detect Inbox Rules that move mail items to 'Deleted Items' or 'RSS Feeds', this a common tactic used by malicious actors.
It is common for users to create rules to delete mail. To overcome this, two rules could be created rather than one. One for moving to RSS Feeds, and the other for mail deletion. This will enable organisations to disable a rule if not applicable to them without losing functionality of the other.
The current rule: https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
Required Info
Target indexes
logs-o365*
Platforms
Microsoft 365
Optional Info
Query (option 1 - single rule)
event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and ((o365.audit.Parameters.MoveToFolder : "RSS Feeds" or o365.audit.Parameters.MoveToFolder : "Deleted Items") or o365.audit.Parameters.DeleteMessage : "True")
Query (option 2 - separate rules)
event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "RSS Feeds")
&
event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "Deleted Items" or o365.audit.Parameters.DeleteMessage : "True")
New fields required in ECS/data sources for this rule?
No
Related issues or PRs
False Positive's
- Common for users to set up rules to delete mail triggering false positives.
MITRE
ATTACK TACTIC
Collection, Exfiltration
ATTACK TECHNIQUE
-
Email Collection: https://attack.mitre.org/techniques/T1114/
- Email Forwarding Rule: https://attack.mitre.org/techniques/T1114/003/
-
Hide Artifacts: https://attack.mitre.org/techniques/T1564/
- Email Hiding Rules: https://attack.mitre.org/techniques/T1564/008/
References
https://blog.barracuda.com/2023/09/20/threat-spotlight-attackers-inbox-rules-evade-detection
Example Data
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}
@jamietlee - Thanks for the suggestion. I agree we could use an OOTB prebuilt rule for new inbox rules that either delete or move to messages for defense evasion. For emulation, I did the following in our tenant...
- Inbox rule where is keywords match, delete message is true
- Inbox rule where if keywords match, move to default
Deleted Items(I did this withJunk EmailandRSS Feeds)
From this, the following query below matched on either instance of these events. The idea is to filter for new inbox rules with specific keywords then if automatically deleted or moved to a default folder, generate the signal.
event.dataset: "o365.audit" and
event.action: "New-InboxRule" and event.outcome: "success" and
o365.audit.Parameters.SubjectContainsWords: (
*phish* or
*hack* or
*alert* or
*malware* or
*security* or
*invoice* or
*payment* or
*wire* or
*transfer* or
*fraud* or
*reset* or
*unusual* or
*protection* or
*login* or
*suspicious*
) and (
o365.audit.Parameters.DeleteMessage: True or
o365.audit.Parameters.MoveToFolder: (
*Deleted* or
*Junk* or
*RSS*
)
)
I have linked a PR to this issue for this new rule. Based on MSFT's documentation, the rule is of New Terms type on the user ID and IP address to reduce some false-positives if a user is adding some rules in a bunch, or has done so before in a 14 day window from the same address. If this proves to be too noisy (VPNs, Proxies, Gateways, etc.) we can always adjust address to country and monitor over time.
