Detectionhightest

Suspicious Inbox Manipulation Rules

Detects suspicious rules that delete or move messages or folders are set on a user's inbox.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Sun Sep 03ceb55fd0-726e-4656-bf4e-b585b7f7d572cloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'mcasSuspiciousInboxManipulationRules'
    condition: selection

False Positives

Actual mailbox rules that are moving items based on their workflow.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

ceb55fd0-726e-4656-bf4e-b585b7f7d572

Status

test

Level

high

Type

Detection

Created

Sun Sep 03

Author

Path

rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml

Raw Tags

attack.t1140attack.defense-evasion