Malicious BEC Inbox Rule

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

'Often times after the initial compromise in a BEC attack the attackers create inbox rules to delete emails that contain certain keywords related to their BEC attack. This is done so as to limit ability to warn compromised users that they've been compromised.

Attribute	Value
Type	Analytic Rule
Solution	Business Email Compromise - Financial Fraud
ID	8ac77493-3cae-4840-8634-15fb23f8fb68
Severity	Medium
Kind	Scheduled
Tactics	Persistence, DefenseEvasion
Techniques	T1098, T1078
Required Connectors	Office365
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
OfficeActivity	Operation == "New-InboxRule" Parameters has "DeleteMessage" Parameters has "Deleted Items" Parameters has "Junk Email"	✓	✗	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Business Email Compromise - Financial Fraud