Exchange email-hiding transport rule

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Email Hiding Rules (T1564.008)

Severity

Informational

Description

A user configured an Exchange transport rule that may be used to hide emails in the organization.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the rule contains keywords and if they look suspicious.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for multiple instances of email hiding, which may be an indication of a larger campaign.
  • Check if the user regularly configures transport rules.

Variations

Suspicious Exchange email-hiding transport rule

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Email Hiding Rules (T1564.008)

Severity

Medium

Description

A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the rule contains keywords and if they look suspicious.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for multiple instances of email hiding, which may be an indication of a larger campaign.
  • Check if the user regularly configures transport rules.


Exchange email-hiding transport rule based on message keywords

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Email Hiding Rules (T1564.008)

Severity

Low

Description

A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain certain keywords, which may be a sign of a compromised account.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

  • Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Check if the rule contains keywords and if they look suspicious.
  • Investigate the IP address associated with the rule.
  • Follow further actions done by the account.
  • Check for a possible phishing campaign on the organization.
  • Look for multiple instances of email hiding, which may be an indication of a larger campaign.
  • Check if the user regularly configures transport rules.