Cloud Service Activity

These detection rules identify suspicious behavior from Cloud Service Activity sent to InsightIDR.

Attacker Technique - Inbox Forwarding Rule Created

Description

This detection identifies the creation of new inbox rules that will forward emails upon receipt to another email address. This technique is used by malicious actors to continuously maintain access to all email messages received by the victim even after the password has been changed. This can be used to maintain access to other accounts associated with the victim email address.

Recommendation

Review the alert in question. If necessary, delete the forwarding rule and have the user change their password.

Attacker Technique - Inbox Forwarding Rule Created With Keywords

Description

This detection identifies the creation of new inbox rules that look for specific keywords and if found. This technique is used by malicious actors to continuously maintain access to all email messages received by the victim, or hide specific messages from view, even after the password has been changed. This can be used to maintain access to other accounts associated with the victim email address.

Recommendation

Review the alert in question. If necessary, delete the forwarding rule and have the user change their password.

Attacker Technique - Suspicious Inbox MoveToFolder Rule Created

Description

This detection identifies the creation of new inbox rules that move emails upon receipt to folder names used by attackers. This technique is used by malicious actors to hide specific email messages received by the victim even after the password has been changed. This can be used to maintain access to other accounts associated with the victim email address.

Recommendation

Review the alert in question. If necessary, delete the forwarding rule and have the user change their password.