Correlates creation of email forwarding rules or header anomalies (e.g., X-MS-Exchange-Organization-AutoForwarded) with suspicious process execution, file access of .pst/.ost files, and network connections to external SMTP servers.
| Data Component | Name | Channel |
|---|---|---|
| Network Share Access (DC0102) | WinEventLog:Security | EventCode=5145 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Application Log Content (DC0038) | WinEventLog:Application | Exchange logs or header artifacts |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Defines correlation window across email rule creation and outbound SMTP. |
| UserContext | Filters for admin or service accounts to reduce false positives. |
| SMTPDomainList | Allows tuning based on expected external email domains. |
Detects file access to mbox/maildir files in conjunction with curl/wget/postfix execution, or anomalous shell scripts harvesting user mail directories.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open |
| Network Connection Creation (DC0082) | linux:syslog | postfix/smtpd |
| Process Creation (DC0032) | linux:osquery | process_events |
| Field | Description |
|---|---|
| WatchedMailDirs | Specify user mail directories (/var/mail, ~/Maildir) |
| ProcessNameList | Tune based on local mail clients or curl usage in environment |
| TimeWindow | Define how close together access and exfil events must occur |
Monitors Mail.app database or maildir file access, automation via AppleScript, and abnormal mail rule creation using scripting or UI automation frameworks.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Mail or AppleScript subsystem |
| File Access (DC0055) | macos:endpointsecurity | es_event_open, es_event_exec |
| Field | Description |
|---|---|
| ScriptProcessNameList | Script interpreters or automation tools (osascript, Automator, etc.) |
| WatchedMailFiles | Mail.app SQLite DB or .emlx directory |
Correlates unusual auto-forwarding rule creation via Exchange Web Services or Outlook rules engine, presence of X-MS-Exchange-Organization-AutoForwarded headers, and logon session anomalies from abnormal IPs.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | m365:unified | Set-Mailbox, New-InboxRule |
| Application Log Content (DC0038) | m365:exchange | MessageTrace logs |
| Logon Session Creation (DC0067) | azure:ad | SignInEvents |
| Field | Description |
|---|---|
| UserAgentList | Restrict rules from non-browser agents |
| ExternalSMTPDomainList | Allow listing for org-sanctioned forwarding domains |
| TimeWindow | Time delta between rule creation and suspicious sign-in |