Business Email Compromise
The Business Email Compromise detector looks for specific techniques that threat actors use against O365 email accounts.
The following inbox rules trigger alerts:
- Deleting all incoming emails
- Forwarding email to the RSS Subscriptions folder
- Forwarding emails that contain BEC keywords to an external email account
- Delegation of Mailbox Permissions
- Forwarding all email to an external email account
- Deleting any email that has security-related keywords in it, such as (your account may be) hacked or phished
- Mailbox audit logging bypass
Business Email Compromise Detector
Inputs ⫘
Source | Sensor Type |
---|---|
Streaming Azure cloud audit data | "MICROSOFT_OFFICE_MANAGEMENT" |
Schema ⫘
CloudAudit
Outputs ⫘
Alerts pushed to the Secureworks® Taegis™ XDR Alert Database and XDR Dashboard.
MITRE ATT&CK Category ⫘
-
MITRE Enterprise ATT&CK - Collection - Email Collection - Email Forwarding Rule. For more information, see MITRE Technique T1114.003.
-
MITRE Enterprise ATT&CK - Defense Evasion - Indicator Removal on Host. For more information, see MITRE Technique T1070.
Configuration Options ⫘
None
Detector Requirements ⫘
- Auth