General
This alarm is triggered when a new transport rule with a suspicious keyword is created within the organization's Exchange Online configuration. Such rules are intended to automatically perform an action on certain emails, and in this case, the rule triggers on words that potentially indicate misuse or hacking.
Rationale
When an attacker has gained access to an administrator account with rights on Exchange Online, they can use transport rules to remain undetected. This is a commonly used tactic in CEO fraud or BEC attacks.
For instance, emails with certain keywords, such as security alarms or responses to phishing emails, can be deleted or moved to a less conspicuous folder (see also: ATT&CK T1564.008).
Therefore, transport rules that trigger on certain keywords are potentially suspicious and can very well be the first signal that an attacker has gained access. Such rules should be investigated to determine whether there is misuse or hacking.
Follow-up
Perform these steps to adequately follow up on this detection:
- Contact the administrator to validate whether the transport rule was created intentionally.
-
If not: consider the administrator account as compromised:
- Reset the employee's password
- Revoke all logged-in sessions of the employee
- Remove the mailbox rule
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?). This is strongly advised since the executing user has administrative rights.
-
If yes: assess whether the purpose of the transport rule conflicts with company policy.
- If yes: remove the transport rule and explain to the employee(s)
- If no: close the Attic incident as resolved
-
If not: consider the administrator account as compromised:
Comments
0 comments
Please sign in to leave a comment.