security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5061 from @dan21san - Update Mail Forwarding/Redirecting Activity In O365

Browse Source 
update: Mail Forwarding/Redirecting Activity In O365 - Add additional parameters to increase coverage
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
dan21san
2024-11-18 00:01:50 +01:00
committed by GitHub
parent 5aa899415b
commit 4e9ef005c2
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml
+6 -1
View File
@@ -4,8 +4,10 @@ status: test
description: Detects email forwarding or redirecting acitivty in O365 Audit logs.
references:
- https://redcanary.com/blog/email-forwarding-rules/
- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t
date: 2023-10-11
modified: 2024-11-17
tags:
- attack.exfiltration
- attack.t1020
@@ -31,9 +33,12 @@ detection:
- 'New-InboxRule'
- 'Set-InboxRule'
Parameters|contains:
- 'ForwardTo'
- 'ForwardAsAttachmentTo'
- 'ForwardingAddress'
- 'ForwardingSmtpAddress'
- 'ForwardTo'
- 'RedirectTo'
- 'RedirectToRecipients'
condition: 1 of selection_*
falsepositives:
- False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule.