Technique on mitre.org

T1564.008: Email Hiding Rules

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.

Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.

Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines.

In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions. Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of events related to suspicious execution of the following PowerShell cmdlets: New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts that may use email rules to hide inbound emails in a compromised user's mailbox. Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries. In environments using Exchange, monitor logs for the creation or modification of mail transport rules.

ID	DS0017	Data source and component	Command: Command Execution	Description	On Windows and Exchange systems, monitor for creation or modification of suspicious inbox rules through the use of the `New-InboxRule`, `Set-InboxRule`, `New-TransportRule`, and `Set-TransportRule` PowerShell cmdlets.

ID	DS0022	Data source and component	File: File Modification	Description	On MacOS systems, monitor for modifications to the `RulesActiveState.plist`, `SyncedRules.plist`, `UnsyncedRules.plist`, and `MessageRules.plist` files.

ID	Data source and component	Description
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may use email rules to hide inbound emails in a compromised user's mailbox. Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries. In environments using Exchange, monitor logs for the creation or modification of mail transport rules.
DS0017	Command: Command Execution	On Windows and Exchange systems, monitor for creation or modification of suspicious inbox rules through the use of the `New-InboxRule`, `Set-InboxRule`, `New-TransportRule`, and `Set-TransportRule` PowerShell cmdlets.
DS0022	File: File Modification	On MacOS systems, monitor for modifications to the `RulesActiveState.plist`, `SyncedRules.plist`, `UnsyncedRules.plist`, and `MessageRules.plist` files.

Mitigation

ID	M1047	Name	Audit	Description	Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis. In an Exchange environment, Administrators can use `Get-InboxRule` / `Remove-InboxRule` and `Get-TransportRule` / `Remove-TransportRule` to discover and remove potentially malicious inbox and transport rules.

ID	Name	Description
M1047	Audit	Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis. In an Exchange environment, Administrators can use `Get-InboxRule` / `Remove-InboxRule` and `Get-TransportRule` / `Remove-TransportRule` to discover and remove potentially malicious inbox and transport rules.