Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Suspicious New-InboxRule #3444

Open
jamietlee opened this issue Feb 14, 2024 · 1 comment
Open

[New Rule] Suspicious New-InboxRule #3444

jamietlee opened this issue Feb 14, 2024 · 1 comment
Assignees
@terrancedejesus
Labels
backlog community Rule: New Proposal for new rule

Comments

@jamietlee
Copy link

Description

Currently, an O365 rule exists to detect the creation of an Inbox Rule that forwards or redirects mail.
We have had multiple incidents related to Inbox Rule creations that have not been detected by this rule. I am proposing a new rule to detect Inbox Rules that move mail items to 'Deleted Items' or 'RSS Feeds', this a common tactic used by malicious actors.

It is common for users to create rules to delete mail. To overcome this, two rules could be created rather than one. One for moving to RSS Feeds, and the other for mail deletion. This will enable organisations to disable a rule if not applicable to them without losing functionality of the other.

The current rule:
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml

Required Info

Target indexes

logs-o365*

Platforms

Microsoft 365

Optional Info

Query (option 1 - single rule)

event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and ((o365.audit.Parameters.MoveToFolder : "RSS Feeds" or o365.audit.Parameters.MoveToFolder : "Deleted Items") or o365.audit.Parameters.DeleteMessage : "True")

Query (option 2 - separate rules)

event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "RSS Feeds")

&

event.dataset : "o365.audit" and event.provider : "Exchange" and event.action:"New-InboxRule" and (o365.audit.Parameters.MoveToFolder : "Deleted Items" or o365.audit.Parameters.DeleteMessage : "True")

New fields required in ECS/data sources for this rule?

No

Related issues or PRs

False Positive's

  • Common for users to set up rules to delete mail triggering false positives.

MITRE

ATTACK TACTIC

Collection, Exfiltration

ATTACK TECHNIQUE

References

https://blog.barracuda.com/2023/09/20/threat-spotlight-attackers-inbox-rules-evade-detection

Example Data
@jamietlee jamietlee added the Rule: New Proposal for new rule label Feb 14, 2024
@botelastic
Copy link

botelastic bot commented Apr 14, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Apr 14, 2024
@Mikaayenson Mikaayenson added backlog Area: RAD and removed stale 60 days of inactivity labels Apr 14, 2024
@w0rk3r w0rk3r self-assigned this May 12, 2024
@w0rk3r w0rk3r assigned terrancedejesus and unassigned w0rk3r Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terrancedejesus terrancedejesus

Labels
backlog community Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Mikaayenson @w0rk3r @terrancedejesus @jamietlee