Threat Huntmediumexperimental

Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet

Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Marco Pedrinazzi (InTheCyber)Created Tue Feb 1004580eed-e1d6-426b-a570-f6e64a4577f7windows

Hunting Hypothesis

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'New-InboxRule'
            - 'Set-InboxRule'
    selection_params:
        ScriptBlockText|contains:
            - 'DeleteMessage'
            - 'MarkAsRead'
            - 'MoveToFolder'
            - 'SubjectOrBodyContainsWords'
    condition: all of selection_*

False Positives

Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0010 · Exfiltration TA0009 · Collection

Sub-techniques

T1564.008 · Email Hiding Rules T1114.003 · Email Forwarding Rule

Other

detection.threat-hunting

Related Rules

SimilarThreat Huntmedium

Inbox Rules Creation Or Update Activity in O365

Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

04580eed-e1d6-426b-a570-f6e64a4577f7

Status

experimental

Level

medium

Type

Threat Hunt

Created

Tue Feb 10

Author

Marco Pedrinazzi (InTheCyber)

Path

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_inbox_rule_creation_or_update_activity.yml

Raw Tags

attack.defense-evasionattack.t1564.008attack.exfiltrationattack.collectionattack.t1114.003detection.threat-hunting

View on GitHub