Business Email Compromise๐
The Business Email Compromise detector looks for specific techniques that threat actors use against O365 email accounts.
Requirements๐
This detector requires the following data sources, integrations, or schemas:
| Source | Sensor Type |
|---|---|
| Streaming Azure cloud audit data | MICROSOFT_OFFICE_MANAGEMENT |
Inputs๐
Detections are from the following normalized sources:
- CloudAudit
Outputs๐
Detections are pushed to the XDR Detection Database and Detection Triage Dashboard.
The following inbox rules trigger detections:
- Deleting all incoming emails
- Forwarding email to the RSS Subscriptions folder
- Forwarding emails that contain BEC keywords to an external email account
- Delegation of Mailbox Permissions
- Forwarding all email to an external email account
- Deleting any email that has security-related keywords in it, such as (your account may be) hacked or phished
- Mailbox audit logging bypass
Configuration Options๐
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category๐
- MITRE Enterprise ATT&CK - Collection - Email Collection - Email Forwarding Rule. For more information, see MITRE Technique T1114.003.
- MITRE Enterprise ATT&CK - Defense Evasion - Indicator Removal on Host. For more information, see MITRE Technique T1070.
Detector Testing๐
This detector does not have a supported testing method, though an Advanced Search will verify if detections originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any detections came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
References๐
- Schemas