O365 New Email Forwarding Rule Created

Name:O365 New Email Forwarding Rule Created
id:68469fd0-1315-44ba-b7e4-e92847bb76d6
version:3
date:2024-09-30
author:Mauricio Velazco, Splunk
status:production
type:TTP
Description:The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.
Data_source:

search:`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule)
| eval match1=mvfind('Parameters{}.Name', "ForwardTo")
| eval match2=mvfind('Parameters{}.Name', "ForwardAsAttachmentTo")
| eval match3=mvfind('Parameters{}.Name', "RedirectTo")
| where match1>= 0 OR match2>= 0 OR match3>= 0
| eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo)
| stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_new_email_forwarding_rule_created_filter`

how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives:Users may create email forwarding rules for legitimate purposes. Filter as needed.
References:
  -https://attack.mitre.org/techniques/T1114/003/
drilldown_searches:
 name:'View the detection results for - "$user$"'
 search:'%original_detection_search% | search user = "$user$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Office 365 Collection Techniques'
  asset_type:O365 Tenant
  confidence:60
  impact:70
  message:A forwarding email inbox rule was created for $user$
  mitre_attack_id:
    - 'T1114'
    - 'T1114.003'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'Operation'
    - 'Parameters{}.Name'
    - 'Name'
    - 'user'
    - 'UserId'
  risk_score:42
  security_domain:audit

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log
  sourcetype: o365:management:activity
  source: o365
manual_test:None