Business Email Compromise🔗
The Business Email Compromise detector looks for specific techniques that threat actors use against O365 email accounts.
Requirements🔗
This detector requires the following data sources, integrations, or schemas:
| Source | Sensor Type |
|---|---|
| Streaming Azure cloud audit data | MICROSOFT_OFFICE_MANAGEMENT |
Inputs🔗
Detections are from the following normalized sources:
- CloudAudit
Outputs🔗
Alerts are pushed to the XDR Alert Database and Alert Triage Dashboard.
The following inbox rules trigger alerts:
- Deleting all incoming emails
- Forwarding email to the RSS Subscriptions folder
- Forwarding emails that contain BEC keywords to an external email account
- Delegation of Mailbox Permissions
- Forwarding all email to an external email account
- Deleting any email that has security-related keywords in it, such as (your account may be) hacked or phished
- Mailbox audit logging bypass
Configuration Options🔗
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category🔗
- MITRE Enterprise ATT&CK - Collection - Email Collection - Email Forwarding Rule. For more information, see MITRE Technique T1114.003.
- MITRE Enterprise ATT&CK - Defense Evasion - Indicator Removal on Host. For more information, see MITRE Technique T1070.
Detector Testing🔗
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
References🔗
- Schemas