Simplest way to be notified that a client has been compromised. (O365)

[thecomputerguy]

When a client gets compromised it's almost always the same story.

Link Clicked, Token Stolen, Logs with bad logins showing "previously satisfied", Rules configured, client is then notified by one of their clients they have been hacked.

Client notifies me.

I tried setting up an alert policy in security.microsoft.com to notify me when an Inbox-Rule is created but that option does not exist. The only option is to notify when a user creates a forward/redirect of mail.

This seems like such a trivial function I can't believe it isn't easier to configure.

My clients all use Business Standard/Business Premium

How can I be better notified when a client is compromised when FIDO keys & CA policies requiring intune registered compliant devices aren't an option?

@YeOldeStonecat @Sky-Knight

 

[YeOldeStonecat]

Yeah the built in alerts ...from Defender...EMail & Collab...Policies & Rules...Alert Policies.....those aren't bad.. Used those in the old days, sort of like a "poor mans SIEM" ...we'd have it fire off emails to our helpdesk email address.

And I can't believe the canned alert for "Creation of forwarding/redirect rule" is not at least 2 bars red..it's all gray like it's miminal...heh.
Although its counterpart..nearly similar rule...Suspicious EMail Forwarding Activity"..is all 3 bars red.

There is a rule called "EMail messages removed after delivery" which is close....covers a little bit of that gap.

But yeah we lean on the stack of tools now .....Huntress ITDR..and even Augmentt does lots of this.

 

[Velvis]

So, is there any way to make a "notify me when an Inbox-Rule is created" alert within M365?

 

[TazUk]

In the O365 policies you can tell it to block forwarding to an external domain. This would generate an alert if someone attempted to do that.

 

[HCHTech]

So, is there any way to make a "notify me when an Inbox-Rule is created" alert within M365?

Yes, there is a "Created mail forward or redirect rule" alert you can enable. Like @TazUk said, block forwarding to an external domain is a good one as long as that don't have some workflow in place that requires this (forwarding to web-based practice management software, for example). Also block email from their domain that didn't originate in their domain - again if they don't have some workflow that requires this (marketing stuff like Canva, etc.)

 

[thecomputerguy]

Yes, there is a "Created mail forward or redirect rule" alert you can enable. Like @TazUk said, block forwarding to an external domain is a good one as long as that don't have some workflow in place that requires this (forwarding to web-based practice management software, for example). Also block email from their domain that didn't originate in their domain - again if they don't have some workflow that requires this (marketing stuff like Canva, etc.)

This is partially correct.

Yes it does alert when a forwarding/redirect rule is created which is essentially an alert when someone tried to forward their mailbox to an external mailbox which by default is disabled anyways.

It does not, however, alert when an Inbox-Rule is created in the sense that:

- Mark mail as read
- Move mail from X to Folder: (Conversation History)

When a mailbox is compromised it is not common for the compromising party to forward the mail, yes it can happen but it's not a normal part of a routine day to day compromise.

Typically a compromise occurs in the following order:

Token Stolen
Bad sign ins in entra
Rules setup to move mail to different folder
Account used to compromise other accounts

This alert would not be triggered by any of these events.