Office Mail Rule Creation with suspicious archive mail move activity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Hunting query to detect new inbox rule creation with activity of mail moved from inbox to archive folder within 12minutes.Though such activities could be legitimate some attackers may use these techniques to perform email diversion attack.

Attribute	Value
Type	Hunting Query
Solution	Business Email Compromise - Financial Fraud
ID	`f50a26d7-ffdb-4471-90b9-3be78c60e4f2`
Tactics	Collection, Exfiltration
Techniques	T1114, T1020
Required Connectors	Office365
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`OfficeActivity`	`OfficeWorkload == "Exchange"`	✓	✗	?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries · Back to Business Email Compromise - Financial Fraud