Name:O365 BEC Email Hiding Rule Created id:603ebac2-f157-4df7-a6ac-34e8d0350f86 version:1 date:2025-02-14 author:0xC0FFEEEE, Github Community status:production type:TTP Description:This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account. Data_source:
search:`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name | eval entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1,0) | eval read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score | where suspicious_score>2 | `o365_bec_email_hiding_rule_created_filter`
how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. known_false_positives:Short rule names may trigger false positives. Adjust the entropy and length thresholds as needed. References: -https://attack.mitre.org/techniques/T1564/008/ drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search dest = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for $user$' search:'| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Account Takeover' asset_type:O365 Tenant mitre_attack_id: - 'T1564.008' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:audit
