Detect Email Hiding Rules in Google Chronicle
Adversaries may use email inbox rules to hide inbound emails in a compromised user's mailbox. Rules can automatically move messages to less-visible folders, mark them as read, or permanently delete them — preventing users and defenders from seeing security alerts, C2 communications, or replies to spearphishing emails sent from the compromised account. Attackers commonly filter on keywords such as 'malware', 'phish', 'hack', 'suspicious', and 'security' in subject lines and message bodies. Rules can be created through email clients (Outlook, OWA), Exchange PowerShell cmdlets (New-InboxRule, Set-InboxRule), Microsoft Graph API, or organization-wide Exchange transport rules. Real-world threat actors including Scattered Spider (OCTO TEMPEST) and FIN4 have used this technique to suppress security alerts and delay incident detection. Malicious rules targeting security personnel inboxes are particularly dangerous as they can suppress vendor security product notifications and SOC escalation emails.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.008 Email Hiding Rules
- Canonical reference
- https://attack.mitre.org/techniques/T1564/008/
YARA-L Detection Query
rule email_hiding_inbox_rule {
meta:
author = "Detection Engineering"
description = "Detects email inbox rules hiding security alerts (T1564.008)"
severity = "HIGH"
tactic = "TA0005"
events:
$e.metadata.event_type = "EMAIL_TRANSACTION"
$e.metadata.product_name = "Office 365"
re.regex($e.metadata.product_event_type, `(?i)(Set-InboxRule|New-InboxRule|Set-TransportRule)`) nocase
(
re.regex($e.target.resource.attribute.labels.value, `(?i)(DeleteMessage|MoveToFolder)`) nocase or
re.regex($e.target.resource.attribute.labels.value, `(?i)(malware|phish|breach|security.alert|hack|incident)`) nocase
)
condition:
$e
}Chronicle YARA-L rule detecting email hiding inbox rules filtering security-related emails.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
- Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
- Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
- Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
- Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)
Other platforms for T1564.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Inbox Rule to Delete Security Alert Emails via PowerShell (Exchange Online)
Expected signal: OfficeActivity table: Operation='New-InboxRule', UserId=<executing account>, Parameters will contain SubjectContainsWords and DeleteMessage fields. If run from an endpoint, DeviceProcessEvents Sysmon Event ID 1 will show powershell.exe with CommandLine containing 'New-InboxRule' and '-DeleteMessage'. O365 Unified Audit Log will record the event with ClientIP of the connecting machine.
- Test 2Create Inbox Rule to Move Security Emails to Hidden Folder and Mark as Read
Expected signal: OfficeActivity: Operation='New-InboxRule', Parameters contains SubjectOrBodyContainsWords, MoveToFolder='RSS Feeds', and MarkAsRead=True. The combination of MoveToFolder and MarkAsRead in a single rule is the stealth indicator. O365 audit log event visible in Search-UnifiedAuditLog with -Operations 'New-InboxRule'.
- Test 3Create Exchange Transport Rule to Delete Security Emails Organization-Wide
Expected signal: OfficeActivity: Operation='New-TransportRule', UserId=<admin account>, Parameters contain SubjectOrBodyContainsWords, DeleteMessage, and Mode=Audit fields. Note: Mode=Audit means the rule logs matches but does not actually delete emails in test mode — safe for production testing. Audit log entry includes full rule conditions and actions.
- Test 4Inbox Rule Creation Using Ruler Tool (EWS-Based, No PowerShell)
Expected signal: OfficeActivity: Operation='UpdateInboxRules' (EWS rule creation shows as UpdateInboxRules, not New-InboxRule), ClientIP=Linux host IP, UserAgent=Ruler's default user agent string. EWS IIS logs on on-premises Exchange: method=POST, cs-uri-stem=/EWS/Exchange.asmx, with Ruler user-agent in cs(User-Agent). No PowerShell or Sysmon events generated since this runs from Linux. This test validates that the OfficeActivity-based detection catches non-PowerShell rule creation.
References (13)
- https://attack.mitre.org/techniques/T1564/008/
- https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59
- https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac
- https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps
- https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps
- https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
- https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/
- https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html
- https://github.com/sensepost/ruler
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight
- https://learn.microsoft.com/en-us/purview/audit-log-search
Unlock Pro Content
Get the full detection package for T1564.008 including response playbook, investigation guide, and atomic red team tests.