Detectionhightest

Suspicious Inbox Forwarding Identity Protection

Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Sun Sep 0327e4f1d6-ae72-4ea0-8a67-77a73a289c3dcloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'suspiciousInboxForwarding'
    condition: selection

False Positives

A legitimate forwarding rule.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

27e4f1d6-ae72-4ea0-8a67-77a73a289c3d

Status

test

Level

high

Type

Detection

Created

Sun Sep 03

Author

Path

rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml

Raw Tags

attack.t1114.003attack.collection