16 lines
1.1 KiB
JSON
16 lines
1.1 KiB
JSON
{
|
|
"doc_id": "KB-O365-INBOX-RULE-ABUSE",
|
|
"doc_type": "kb",
|
|
"title": "Inbox Rule Abuse After Account Compromise",
|
|
"scenario": "o365_suspicious_login",
|
|
"summary": "Common mailbox persistence behaviors after O365 account compromise, especially rule creation to hide or forward finance emails.",
|
|
"applicability": ["azuread_suspicious_inbox_rule_after_login"],
|
|
"key_points": ["Attackers often hide financial emails using move-to-folder rules.", "Forwarding and delete rules are strong post-compromise indicators.", "Mailbox audit logs should be reviewed immediately after suspicious login confirmation."],
|
|
"investigation_guidance": ["Enumerate all inbox rules and forwarding settings.", "Check mailbox audit timeline around suspicious sign-in.", "Review OAuth consents if inbox rules are absent but suspicious mail actions continue."],
|
|
"decision_points": ["Inbox rule creation shortly after suspicious login strongly supports compromise verdict."],
|
|
"related_entities": {"ttps": ["T1114"], "iocs": []},
|
|
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
|
|
"tags": ["kb", "o365", "inbox-rule"],
|
|
"updated_at": "2026-04-10T09:40:00+08:00"
|
|
}
|