Microsoft Sentinel SIEM is a fantastic tool that enables you to keep an eye on any malicious activity occurring in Microsoft 365 tenants. I strongly suggest everyone to implement this tool as it is very affordable.
This improved Sentinel Analytics Rule can be used to detect malicious Inbox Rules used by threat actors to hide invoice fraud activity. I’ve used the Inbox rule currently available as a template within Sentinel, and modified it to alert on Outlook rules I encountered in the wild.
The changes I made were the Keyword and the removal of the limitations of the folder destinations. This is because I often see RSS, Conversation History or other folders being used. The “..” are often used as Inbox rule names.
The modified rule is on the left, and the original one is on the right.
<strong><mark style="background-color:rgba(0, 0, 0, 0)" class="has-inline-color has-colibri-color-1-color">let Keywords = dynamic(["..", "RSS", "Conversation", "History", ',,', '..', "MarkAsRead"]);</mark></strong>
OfficeActivity
| where Operation =~ "New-InboxRule"
| where Parameters has_any (Keywords)
| extend Events=todynamic(Parameters)
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
| extend ClientIPAddress = case(ClientIP has ".", tostring(split(ClientIP, ":")[0]), ClientIP has "[", tostring(trim_start(@'[[]', tostring(split(ClientIP, "]")[0]))), ClientIP)
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords), BodyContainsWords, SubjectOrBodyContainsWords)))
| extend RuleDetail = case(OfficeObjectId contains '/', tostring(split(OfficeObjectId, '/')[-1]), tostring(split(OfficeObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
by
Operation,
UserId,
ClientIPAddress,
ResultStatus,
Keyword,
OriginatingServer,
OfficeObjectId,
<mark style="background-color:rgba(0, 0, 0, 0)" class="has-inline-color has-colibri-color-1-color"> <strong>tostring(Events)</strong></mark>
| extend
timestamp = StartTimeUtc,
IPCustomEntity = ClientIPAddress,
AccountCustomEntity = UserId,
HostCustomEntity = OriginatingServer
Code language: HTML, XML (xml)
<strong><s>let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);</s></strong>
OfficeActivity
| where Operation =~ "New-InboxRule"
<strong><s>| where Parameters has "Deleted Items"
or Parameters has "Junk Email"
or Parameters has "DeleteMessage"</s></strong>
| extend Events=todynamic(Parameters)
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
| where SubjectContainsWords has_any (Keywords)
or BodyContainsWords has_any (Keywords)
or SubjectOrBodyContainsWords has_any (Keywords)
| extend ClientIPAddress = case(ClientIP has ".", tostring(split(ClientIP, ":")[0]), ClientIP has "[", tostring(trim_start(@'[[]', tostring(split(ClientIP, "]")[0]))), ClientIP)
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords), BodyContainsWords, SubjectOrBodyContainsWords)))
| extend RuleDetail = case(OfficeObjectId contains '/', tostring(split(OfficeObjectId, '/')[-1]), tostring(split(OfficeObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
by
Operation,
UserId,
ClientIPAddress,
ResultStatus,
Keyword,
OriginatingServer,
OfficeObjectId,
RuleDetail
| extend
timestamp = StartTimeUtc,
IPCustomEntity = ClientIPAddress,
AccountCustomEntity = UserId,
HostCustomEntity = OriginatingServer
Code language: PHP (php)
Need help managing your own or your customers tenants? Contact us!
5 Responses
Could you please explain the reason behind including the characters “.”, “‘”, “,,” and “,”? I am curious about the logic behind their usage.
Hi Mike,
Inbox rules usually don’t have dots or commas as names. I’ve analyzed inbox rules for many companies to scan for historical breaches and regularly encountered malicious rules with these names.
Simple names like , or .
Best,
Jeremy
Your way of telling the whole thing in this piece of writing is genuinely nice, every one be able to simply be
aware of it, Thanks a lot.
You’re welcome, Teresa!
Hey there! I’ve been following your blog for some time now and finally got the courage
to go ahead and give you a shout out from Huffman Tx!
Just wanted to tell you keep up the fantastic job!