33 lines
1.2 KiB
JSON
33 lines
1.2 KiB
JSON
{
|
|
"id": "KB-O365-INBOX-RULE-ABUSE",
|
|
"memory_type": "knowledge",
|
|
"doc_type": "kb",
|
|
"scenario": "o365_suspicious_login",
|
|
"title": "Inbox Rule Abuse After Account Compromise",
|
|
"abstract": "Common mailbox persistence behaviors after O365 account compromise, especially rule creation to hide or forward finance emails.",
|
|
"key_points": [
|
|
"Attackers often hide financial emails using move-to-folder rules.",
|
|
"Forwarding and delete rules are strong post-compromise indicators.",
|
|
"Mailbox audit logs should be reviewed immediately after suspicious login confirmation."
|
|
],
|
|
"investigation_guidance": [
|
|
"Enumerate all inbox rules and forwarding settings.",
|
|
"Check mailbox audit timeline around suspicious sign-in.",
|
|
"Review OAuth consents if inbox rules are absent but suspicious mail actions continue."
|
|
],
|
|
"decision_points": [
|
|
"Inbox rule creation shortly after suspicious login strongly supports compromise verdict."
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-O365-LOGIN-001"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-INBOX-RULE-ABUSE.json",
|
|
"tags": [
|
|
"kb",
|
|
"o365",
|
|
"inbox-rule"
|
|
]
|
|
} |