Threat Huntmediumtest
Mail Forwarding/Redirecting Activity In O365
Detects email forwarding or redirecting activity in O365 Audit logs.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
RedCanary Team, Harjot SinghCreated Wed Oct 11Updated Sun Nov 17c726e007-2cd0-4a55-abfb-79730fbedee5cloud
Hunting Hypothesis
Log Source
Microsoft 365audit
ProductMicrosoft 365← raw: m365
Serviceaudit← raw: audit
Definition
Requirements: The 'OperationProperties' and 'Parameters' fields are a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search
Detection Logic
Detection Logic3 selectors
detection:
# Note: Might require seperation in the future when enough data is gatherd
selection_updateinbox:
Operation|contains: 'UpdateInboxRules'
OperationProperties|contains:
- 'Forward'
- 'Recipients'
selection_setmailbox:
Operation|contains: 'Set-Mailbox'
Parameters|contains:
- 'ForwardingSmtpAddress'
- 'ForwardingAddress'
selection_setinbox:
Operation|contains:
- 'New-InboxRule'
- 'Set-InboxRule'
Parameters|contains:
- 'ForwardAsAttachmentTo'
- 'ForwardingAddress'
- 'ForwardingSmtpAddress'
- 'ForwardTo'
- 'RedirectTo'
- 'RedirectToRecipients'
condition: 1 of selection_*False Positives
False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule.
MITRE ATT&CK
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
c726e007-2cd0-4a55-abfb-79730fbedee5
Status
test
Level
medium
Type
Threat Hunt
Created
Wed Oct 11
Modified
Sun Nov 17
Author
Path
rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml
Raw Tags
attack.collectionattack.t1114.003attack.defense-evasionattack.t1564.008attack.exfiltrationattack.t1020detection.threat-hunting