Back to Details

detecting-email-account-compromise

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Detecting Email Account Compromise

检测邮箱账户泄露

Overview

概述

Email account compromise (EAC) is a prevalent attack vector where adversaries gain unauthorized access to mailboxes to exfiltrate sensitive data, conduct business email compromise (BEC), or establish persistence through inbox rule manipulation. Attackers commonly create forwarding rules to siphon emails, delete rules to hide evidence, or use OAuth tokens for persistent access. Detection relies on analyzing Microsoft 365 Unified Audit Logs, Azure AD sign-in logs for impossible travel or suspicious locations, inbox rule creation events (Set-InboxRule, New-InboxRule), and Microsoft Graph API access patterns. Key indicators include forwarding rules to external addresses, rules that delete or move messages matching keywords like "invoice" or "payment", and sign-ins from unusual user agents such as python-requests.
邮箱账户泄露(EAC)是一种常见的攻击向量,攻击者会未经授权访问邮箱,以窃取敏感数据、实施企业邮箱诈骗(BEC),或通过操纵收件箱规则建立持久访问权限。攻击者通常会创建转发规则来窃取邮件、删除规则以销毁证据,或使用OAuth令牌实现持久访问。检测工作依赖于分析Microsoft 365统一审计日志、Azure AD登录日志(用于检测不可能的旅行或可疑位置)、收件箱规则创建事件(Set-InboxRule、New-InboxRule)以及Microsoft Graph API访问模式。关键指标包括转发至外部地址的规则、删除或移动包含“发票”或“付款”等关键词邮件的规则,以及来自python-requests等异常用户代理的登录行为。

When to Use

适用场景

  • When investigating security incidents that require detecting email account compromise
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
  • 当调查需要检测邮箱账户泄露的安全事件时
  • 当为此领域构建检测规则或威胁狩猎查询时
  • 当SOC分析师需要此类分析的结构化流程时
  • 当验证相关攻击技术的安全监控覆盖范围时

Prerequisites

前提条件

  • Microsoft 365 with Unified Audit Logging enabled
  • Azure AD P1/P2 for risk detection APIs
  • Python 3.9+ with 
    requests
    , 
    msal
    libraries
  • Microsoft Graph API application registration with Mail.Read, AuditLog.Read.All permissions
  • Understanding of OAuth2 client credential flows
  • 已启用统一审计日志的Microsoft 365
  • 用于风险检测API的Azure AD P1/P2
  • 安装了
    requests
    msal
    库的Python 3.9+
  • 已注册并拥有Mail.Read、AuditLog.Read.All权限的Microsoft Graph API应用
  • 了解OAuth2客户端凭证流

Steps

步骤

  1. Export audit logs or connect to Microsoft Graph API using MSAL authentication
  2. Query inbox rules for all monitored mailboxes via 
    /users/{id}/mailFolders/inbox/messageRules
  3. Analyze rules for external forwarding (ForwardTo, RedirectTo external addresses)
  4. Detect suspicious rule patterns: deletion rules, keyword-matching rules targeting financial terms
  5. Query sign-in logs via 
    /auditLogs/signIns
    for unusual locations and impossible travel
  6. Check for suspicious user agent strings (python-requests, PowerShell, curl)
  7. Identify OAuth application consent grants for suspicious third-party apps
  8. Correlate findings across users to detect campaign-level compromise
  9. Generate compromise indicators report with severity scores
  1. 导出审计日志,或使用MSAL认证连接至Microsoft Graph API
  2. 通过
    /users/{id}/mailFolders/inbox/messageRules
    查询所有受监控邮箱的收件箱规则
  3. 分析规则中的外部转发行为(ForwardTo、RedirectTo外部地址)
  4. 检测可疑规则模式:删除规则、针对财务术语的关键词匹配规则
  5. 通过
    /auditLogs/signIns
    查询登录日志,检测异常位置和不可能的旅行
  6. 检查可疑用户代理字符串(python-requests、PowerShell、curl)
  7. 识别可疑第三方应用的OAuth应用授权
  8. 关联跨用户的检测结果,以检测活动级别的泄露事件
  9. 生成包含严重性评分的泄露指标报告

Expected Output

预期输出

A JSON report listing compromised or suspicious accounts, malicious inbox rules detected, impossible travel events, suspicious OAuth grants, and recommended containment actions with severity ratings.
一份JSON报告,列出已泄露或可疑的账户、检测到的恶意收件箱规则、不可能的旅行事件、可疑OAuth授权,以及带有严重性评级的建议遏制措施。