Leveraging Exchange Telemetry in O365 Mailbox Attack

Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: Red Canary

Red Canary's threat research article shared an email compromise campaign with attackers aiming to set up payroll diversion fraud. The scenario outlined involved "the adversary compromises an email account and abuses their access in an attempt to update that user’s direct deposit information by corresponding via email with payroll department, forwarding relevant correspondence into a rarely used folder to evade notice, and eventually—if successful—routing the legitimate user’s paycheck into the criminal’s bank account." Defenders can leverage detection analytics focused on Office365 logins and in quick succession mailbox tampering with a high number of emails accessed and/or threat actors creating forwarding rules for persistence and automatic data exfiltration. The attack sequence occurred within 12 minutes from the attackers logging in to accessing mailbox items, creating inbox rules, and sending a fictitious direct deposit update request to the victim's HR department.

Anvilogic Scenario:

• O365: Suspicious Login then Stage Email Exfiltration

Anvilogic Use Cases:

• O365 Impossible Travels Sign-in
• O365 Inbox Rules
• O365 Auto Forward

‍