Email

Identify inbox rule creation that is consistent with business email compromise (BEC).

BEC-related inbox rules can be used to conceal or entirely delete bounced emails, including non-delivery reports or out-of-office messages. These emails might be received by the target after a threat actor initiates an email campaign. The concern is that such bounce notifications could raise suspicion that the user account is compromised. Inbox rules typically include specific keywords found in the subject of the email the threat actor intends to send. Additionally, these rules may incorporate terms like ‘hacked’ or ‘phishing.’ The latter serves to hide emails sent by IT department, which might otherwise alert the target to malicious activities.

[Read more…] about KQL query: BEC-related inbox rule creation

Identify suspect mailbox actions and correlate with IP addresses in risky sign-in events.

[Read more…] about KQL query: Suspicious inbox rules by possibly compromised user