{
  "id": "KB-O365-INBOX-RULE-ABUSE",
  "memory_type": "knowledge",
  "doc_type": "kb",
  "scenario": "o365_suspicious_login",
  "title": "Inbox Rule Abuse After Account Compromise",
  "abstract": "Common mailbox persistence behaviors after O365 account compromise, especially rule creation to hide or forward finance emails.",
  "key_points": [
    "Attackers often hide financial emails using move-to-folder rules.",
    "Forwarding and delete rules are strong post-compromise indicators.",
    "Mailbox audit logs should be reviewed immediately after suspicious login confirmation."
  ],
  "investigation_guidance": [
    "Enumerate all inbox rules and forwarding settings.",
    "Check mailbox audit timeline around suspicious sign-in.",
    "Review OAuth consents if inbox rules are absent but suspicious mail actions continue."
  ],
  "decision_points": [
    "Inbox rule creation shortly after suspicious login strongly supports compromise verdict."
  ],
  "related_refs": {
    "playbooks": [
      "PB-O365-LOGIN-001"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-INBOX-RULE-ABUSE.json",
  "tags": [
    "kb",
    "o365",
    "inbox-rule"
  ]
}