Analytics Story: Suspicious Emails

Date: 2020-01-27 ID: 2b1800dd-92f9-47ec-a981-fdf1351e5d55 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

Why it matters

It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content. Once a phishing message has been detected, the next steps are to answer the following questions:

  1. Which users have received this or a similar message in the past?
  2. When did the targeted campaign begin?
  3. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Email Attachments With Lots Of Spaces None Anomaly
Monitor Email For Brand Abuse None TTP
Suspicious Email Attachment Extensions Spearphishing Attachment Anomaly
O365 Email Hard Delete Excessive Volume Clear Mailbox Data, Data Destruction Anomaly
O365 Email Password and Payroll Compromise Behavior Clear Mailbox Data, Data Destruction, Local Email Collection TTP
O365 Email Receive and Hard Delete Takeover Behavior Clear Mailbox Data, Data Destruction, Local Email Collection Anomaly
O365 Email Reported By Admin Found Malicious Spearphishing Attachment, Spearphishing Link TTP
O365 Email Reported By User Found Malicious Spearphishing Attachment, Spearphishing Link TTP
O365 Email Send and Hard Delete Exfiltration Behavior Local Email Collection, Clear Mailbox Data, Data Destruction Anomaly
O365 Email Send and Hard Delete Suspicious Behavior Local Email Collection, Clear Mailbox Data, Data Destruction Anomaly
O365 Email Send Attachments Excessive Volume Clear Mailbox Data, Data Destruction Anomaly
O365 Email Suspicious Behavior Alert Email Forwarding Rule TTP
O365 Threat Intelligence Suspicious Email Delivered Spearphishing Attachment, Spearphishing Link Anomaly
O365 ZAP Activity Detection Spearphishing Attachment, Spearphishing Link Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Office 365 Reporting Message Trace N/A o365:reporting:messagetrace o365
Office 365 Universal Audit Log N/A o365:management:activity o365

References

Source: GitHub | Version: 1