O365 Suspicious User Email Forwarding
Description
This search detects when multiple user configured a forwarding rule to the same destination.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-12-16
- Author: Patrick Bareiss, Splunk
- ID: f8dfe015-dbb3-4569-ba75-b13787e06aa4
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
`o365_management_activity` Operation=Set-Mailbox
| spath input=Parameters
| rename Identity AS src_user
| search ForwardingSmtpAddress=*
| stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress
| where count_src_user > 1
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
|`o365_suspicious_user_email_forwarding_filter`
Macros
The SPL above uses the following Macros:
o365_suspicious_user_email_forwarding_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Operation
- Parameters
How To Implement
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Known False Positives
unknown
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 48.0 | 80 | 60 | User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1