diff --git a/detections/cloud/o365_bec_email_hiding_rule_created.yml b/detections/cloud/o365_bec_email_hiding_rule_created.yml new file mode 100644 index 0000000000..51e7cd1c9a --- /dev/null +++ b/detections/cloud/o365_bec_email_hiding_rule_created.yml @@ -0,0 +1,58 @@ +name: O365 BEC Email Hiding Rule Created +id: 603ebac2-f157-4df7-a6ac-34e8d0350f86 +version: 1 +date: '2025-02-14' +author: '0xC0FFEEEE, Github Community' +type: TTP +status: production +description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. + This may indicate that an attacker has gained access to the account. +search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | + stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder) + as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name | eval + entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1,0) | eval + read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, + "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score + | where suspicious_score>2 | `o365_bec_email_hiding_rule_created_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. You also need to have the Splunk TA URL + Toolbox (https://splunkbase.splunk.com/app/2734/) installed. +known_false_positives: Short rule names may trigger false positives. Adjust + the entropy and length thresholds as needed. +references: +- https://attack.mitre.org/techniques/T1564/008/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search dest = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $user$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Potential BEC mailbox rule was created by $user$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: Name + type: signature +tags: + analytic_story: + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1564.008 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log + sourcetype: o365:management:activity + source: o365