Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Suspicious Keyword in Mailbox Rule [RULE-1022]

This rule detects when a new mailbox rule is created in Exchange Online that contains suspicious keywords in its filter conditions. Attackers often create rules that search for specific terms related to financial transactions, security alerts, or sensitive communications in order to intercept, hide, or redirect those emails.

Rationale

After compromising a mailbox, attackers frequently create inbox rules that target emails containing specific keywords such as "invoice", "payment", "wire transfer", "password", "security alert", or similar terms. This technique is mapped to MITRE ATT&CK as T1114.003 (Email Collection: Email Forwarding Rule) and T1564.008 (Hide Artifacts: Email Hiding Rules).

These rules are designed to intercept and hide specific emails from the legitimate user. For example, an attacker may create a rule that moves all emails containing the word "invoice" to a hidden folder, marks them as read, or deletes them entirely. This allows the attacker to manipulate financial communications without the user's knowledge - a critical component of Business Email Compromise (BEC) attacks.

The combination of suspicious keywords with actions like moving to obscure folders, marking as read, or deleting makes these rules particularly dangerous. They enable attackers to silently monitor and manipulate email communications while the legitimate user remains unaware that emails are being intercepted. Early detection of these rules is essential to preventing financial fraud and unauthorized information access.

Follow-up

Follow these steps to adequately address this detection:

  1. Review the detected mailbox rule, paying attention to which keywords it searches for and what actions it performs (delete, move, forward, mark as read). Verify with the mailbox owner whether this rule was intentionally created.

    • If no: The rule was not intentionally created and is likely malicious:

      1. Immediately remove or disable the suspicious mailbox rule.
      2. Reset the password of the affected account and revoke all active sessions via Microsoft Entra ID.
      3. Review other mailbox rules on the same account for additional malicious rules. Check sign-in logs and the Unified Audit Log for suspicious activity.
      4. Consider engaging Attic for a full incident response investigation, especially if the rule targeted financial keywords.

    • If yes: The rule was intentionally created by the user:

      1. Verify that the rule's behavior is appropriate and does not pose a security risk.
      2. If acceptable: document the exception and close the incident.

More information