From 4e9ef005c2906b6d5b1de02e51affe733477e7c6 Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Mon, 18 Nov 2024 00:01:50 +0100 Subject: [PATCH] Merge PR #5061 from @dan21san - Update `Mail Forwarding/Redirecting Activity In O365` update: Mail Forwarding/Redirecting Activity In O365 - Add additional parameters to increase coverage --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../audit/microsoft365_susp_email_forwarding_activity.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index ab06ca5890c..c0a2ec12a01 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -4,8 +4,10 @@ status: test description: Detects email forwarding or redirecting acitivty in O365 Audit logs. references: - https://redcanary.com/blog/email-forwarding-rules/ + - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t date: 2023-10-11 +modified: 2024-11-17 tags: - attack.exfiltration - attack.t1020 @@ -31,9 +33,12 @@ detection: - 'New-InboxRule' - 'Set-InboxRule' Parameters|contains: - - 'ForwardTo' - 'ForwardAsAttachmentTo' + - 'ForwardingAddress' + - 'ForwardingSmtpAddress' + - 'ForwardTo' - 'RedirectTo' + - 'RedirectToRecipients' condition: 1 of selection_* falsepositives: - False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule.