M365 Suspicious Mailbox Rule Creation
Detection overview
Triggers
- An account was observed creating suspicious mailbox rules in Exchange that allow an attacker to manipulate, hide, or delete incoming emails.
Possible Root Causes
- An attacker with control of an account created mailbox rules that hide or manipulate emails to either evade notice by the mailbox owner or impact business processes.
- A user created a benign but broad or abnormal inbox rule as part of normal business email management.
Business Impact
- Instances of malicious mailbox rules may indicate an adversary has control of an internal mailbox and can access the users email data and send emails internally and externally on behalf of the user.
- A successful attack can result in immediate data theft or reputation loss from the compromised account.
- A successful attack can result in additional business impact through targeted phishing from the internal account, as they are often trusted and subsequent to less strict security controls relative to external accounts.
Steps to Verify
- Investigate the account that performed the action for other indications of malicious activity
- If review indicates possible malicious actions, revert configuration and disable credentials associated with this alert, then perform a comprehensive investigation.
M365 Suspicious Mailbox Rule Creation
Possible root causes
Malicious Detection
Benign Detection
M365 Suspicious Mailbox Rule Creation
Example scenarios
M365 Suspicious Mailbox Rule Creation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspicious Mailbox Rule Creation
Steps to investigate
M365 Suspicious Mailbox Rule Creation
Related detections
No items found.