O365 Suspicious Admin Email Forwarding

Original Source: [splunk source]
Name:O365 Suspicious Admin Email Forwarding
id:7f398cfb-918d-41f4-8db8-2e2474e02c28
version:2
date:2024-10-17
author:Patrick Bareiss, Splunk
status:deprecated
type:Anomaly
Description:**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.
Data_source:
search:`o365_management_activity` Operation=Set-Mailbox
| spath input=Parameters
| rename Identity AS src_user
| search ForwardingAddress=*
| stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress
| where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`

how_to_implement:You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
known_false_positives:unknown
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Office 365 Collection Techniques'
    - 'Data Exfiltration'
  asset_type:O365 Tenant
  confidence:60
  impact:80
  message:User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$
  mitre_attack_id:
    - 'T1114.003'
    - 'T1114'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'Operation'
    - 'Parameters'
  risk_score:48
  security_domain:threat

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json
  sourcetype: o365:management:activity
  source: o365
manual_test:None

Related Analytic Stories


Data Exfiltration

Office 365 Collection Techniques

© 2024 DetectionCode Website. All Rights Reserved.