General
This alarm is triggered when a new mailbox rule with a suspicious keyword is created within the organization. Such rules are used to automatically perform an action on certain emails, and in this case, the rule triggers on words that potentially indicate misuse or hacking.
Rationale
When an attacker has gained access to a mailbox, they can use email rules to remain unnoticed. This is a commonly used tactic in CEO fraud or BEC attacks.
For example, emails with certain keywords, such as security alarms or responses to phishing emails, can be deleted or moved to a less conspicuous folder (see also: ATT&CK T1564.008).
Therefore, mailbox rules that trigger on certain keywords are potentially suspicious and can very well be the first signal that an attacker has gained access. Such rules should be investigated to determine if there is any misuse or hacking.
Follow-up
Follow these steps to adequately respond to this detection:
- Contact the employee to validate whether the mailbox rule was intentionally created.
-
If not: consider the employee account as compromised:
- Reset the employee's password
- Revoke all logged-in sessions of the employee
- Remove the mailbox rule
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?)
-
If yes: assess whether the purpose of the mailbox rule conflicts with company policy.
- If yes: remove the forwarding rule and provide an explanation to the employee(s)
- If no: close the Attic incident as resolved
-
If not: consider the employee account as compromised:
Comments
0 comments
Please sign in to leave a comment.