Try in Splunk Security Cloud

Description

This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2020-12-16
  • Author: Patrick Bareiss, Splunk
  • ID: 7f398cfb-918d-41f4-8db8-2e2474e02c28

Annotations

ATT&CK
ID Technique Tactic
T1114.003 Email Forwarding Rule Collection
T1114 Email Collection Collection
Kill Chain Phase
  • Actions on Objectives
NIST
  • DE.DP
  • DE.AE
CIS20
  • CIS 16
CVE
1
2
3
4
5
6
7
8
9
`o365_management_activity` Operation=Set-Mailbox 
| spath input=Parameters 
| rename Identity AS src_user 
| search ForwardingAddress=* 
| stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress 
| where count_src_user > 1 
|`security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
|`o365_suspicious_admin_email_forwarding_filter`

Macros

The SPL above uses the following Macros:

Note that o365_suspicious_admin_email_forwarding_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time
  • Operation
  • Parameters

How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Known False Positives

unknown

Associated Analytic story

RBA

Risk Score Impact Confidence Message
48.0 80 60 User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1