Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user configured an Exchange transport rule that may be used to hide emails in the organization.
Attacker's Goals
Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).
Investigative actions
- Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
- Check if the rule contains keywords and if they look suspicious.
- Investigate the IP address associated with the rule.
- Follow further actions done by the account.
- Check for a possible phishing campaign on the organization.
- Look for multiple instances of email hiding, which may be an indication of a larger campaign.
- Check if the user regularly configures transport rules.
Variations
Suspicious Exchange email-hiding transport ruleExchange email-hiding transport rule based on message keywords