Exchange email-hiding inbox rule

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Email Hiding Rules (T1564.008)

Severity

Informational

Description

A user configured an Exchange inbox rule that may be used to hide emails.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the rule keywords look suspicious.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for multiple instances of email hiding, which may be an indication of a larger campaign.
  • Check if the user regularly configures inbox rules.

Variations

Suspicious Exchange email-hiding inbox rule

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Email Hiding Rules (T1564.008)

Severity

Medium

Description

A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the rule keywords look suspicious.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for multiple instances of email hiding, which may be an indication of a larger campaign.
  • Check if the user regularly configures inbox rules.