Find sigma rule

Attack: Email Collection: Remote Email Collection

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user’s credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

MITRE

Tactic

collection

technique

T1114.002

Test : Office365 - Remote Mail Collected

OS

office-365

Description:

Create and register an entra application that downloads emails from a tenant’s Office 365 mailboxes using the Microsoft Graph API app-only access. This can be used by an adversary to collect an organization’s sensitive information.

Executor

powershell

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test