property | value |
tags | azure-cloud,cloud-attacks,cloud-forensics,email-compromise,microsoft-ual |
url | |
original_word_count | 1480 |
Article Excerpt
In this blog, we present various scenarios in which threat actors can utilise email forwarding rules and the associated evidence in the UAL. Additionally, we have created a comprehensive mind map that summarises the contents of the blog for use in incident detection and response investigations.
Long Summary
This article provides an overview of the threat actor technique of email forwarding rules and the associated evidence in the Unified Audit Log (UAL). It outlines the various scenarios in which a threat actor can utilise email forwarding rules, including the creation of a new mailbox rule, modification or deletion of an existing mailbox rule, creation of a new transport rule, modification or deletion of an existing transport rule, and a security alert generated. It also provides examples of the UAL entries generated for each scenario.
The article explains that there are two types of rules: mailbox rules, which can be configured by the Owner/Admin/Delegate of a mailbox, and transport rules, which can only be configured by users with administrative roles/permissions. It also explains that the UAL is a crucial log for incident response in Microsoft 365 tenants, as it captures both user and admin initiated actions.
The article then provides examples of UAL entries generated for each scenario, such as the ClientIP, Parameters, UserId, ObjectId, RuleOperation, RuleAction, Identity, AppId, and Data fields. It also explains that the Security & Compliance centerβs built-in alerts can be used to identify unusual activity in the UAL.
To summarise the contents of the blog, the article provides a mind map that includes the different scenarios and UAL evidence. It also provides further reading resources on BEC and email forwarding rules.
In conclusion, this article provides a comprehensive overview of the threat actor technique of email forwarding rules and the associated evidence in the UAL. It outlines the various scenarios in which a threat actor can utilise email forwarding rules, and provides examples of the UAL entries generated for each scenario. It also explains how the Security & Compliance centerβs built-in alerts can be used to identify unusual activity in the UAL. The article provides a mind map that summarises the contents of the blog for use in incident detection and response investigations.
Short Summary
π Mastering Email Forwarding Rules in Microsoft 365
ππ½ In this blog, Invictus Incident Response presents various scenarios in which threat actors can utilise email forwarding rules and the associated evidence in the UAL. Additionally, they have created a comprehensive mind map that summarises the contents of the blog for use in incident detection and response investigations. ππ½ Overview of threat actor techniques for data exfiltration using email forwarding rules ππ½ Scenarios where threat actors can utilize email forwarding rules ππ½ Types of rules: mailbox and transport rules ππ½ Importance of Unified Audit Log (UAL) for incident response in Microsoft 365 tenants ππ½ UAL entries generated for each scenario. Different UAL logs are generated depending on the method used to configure the rules (O365 Admin Portal, Powershell, Graph API, Outlook Client, OWA) ππ½ Use of Security & Compliance center's built-in alerts to identify unusual activity ππ½ Mind map provided to summarize contents of blog for incident detection and response investigations ππ½ Explanation of ClientIP, Parameters, UserId, ObjectId, RuleOperation, RuleAction, Identity, AppId, and Data fields ππ½ Further reading resources on BEC and email forwarding rules ππ½ Comprehensive overview of email forwarding rules and associated evidence in UAL.
π source link: https://invictus-ir.medium.com/email-forwarding-rules-in-microsoft-365-295fcb63d4fb
π summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/mastering-email-forwarding-rules-in-microsoft-365
#EmailForwardingRules #UnifiedAuditLog #Microsoft365 #IncidentResponse #DetectionAndResponse