Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> PowerShell cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.
Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as <code>malware</code>, <code>suspicious</code>, <code>phish</code>, and <code>hack</code>) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)
In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-04 | Information Flow Enforcement | Protects | T1564.008 | Email Hiding Rules | |
| CM-03 | Configuration Change Control | Protects | T1564.008 | Email Hiding Rules | |
| CM-05 | Access Restrictions for Change | Protects | T1564.008 | Email Hiding Rules | |
| CM-07 | Least Functionality | Protects | T1564.008 | Email Hiding Rules | |
| SI-03 | Malicious Code Protection | Protects | T1564.008 | Email Hiding Rules | |
| SI-04 | System Monitoring | Protects | T1564.008 | Email Hiding Rules | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1564.008 | Email Hiding Rules |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1564.008 | Email Hiding Rules |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Email Hiding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.
License Requirements:
Microsoft 365 E3 and E5
References
|
| EOP-MFR-E3 | Mail Flow Rules | Technique Scores | T1564.008 | Email Hiding Rules |
Comments
In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them. Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.
Mail Flow Rules protects from Email Hiding Rules attacks due to it's detection mechanisms that include the ability to audit inbox rules on a regular basis as they are in transit.
License Requirements:
Microsoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1564.008 | Email Hiding Rules |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1564.008 | Email Hiding Rules |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Email Hiding Rules attacks due to Incident Response being able to monitor for creation or modification of suspicious inbox rules.
License Requirements:
Microsoft Defender XDR
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1564.008 | Email Hiding Rules |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|