← Customer 14024290

#25295 [Huntress Detection] HIGH - INBOX RULES DISABLED - Incident on [email protected] (Missoula Economic Partners)

Resolved Created Dec 14, 2023, 7:28 AM Resolved Dec 14, 2023, 7:52 PM
Huntress (internal) Dec 14, 2023, 7:28 AM 
*** The Huntress Platform will disable the following email inbox rules from the Microsoft 365 environment to prevent further attack and data exfiltration: . ***

User: [email protected] - https://artichoke.huntress.io/org/84488/managed_identity/user_entities/207183666
Organization: Missoula Economic Partners

Incident Report: https://artichoke.huntress.io/org/84488/infection_reports/1062211
Severity: High

Huntress detected the following items that require remediation:

Email Forwarding Rule Created - One or more email forwarding rules were created
    Events: 
      No Time Given - Historic Inbox Rule Found Moving Messages to Conversation History Folder
      No Time Given - Historic Inbox Rule Found Moving Messages to Conversation History Folder

Remediation Instructions
------------------------

Perform the following remediations:

- Audit activity for user 8e45cb80-5130-4f26-982e-c630b6cbb1e6.
- Remove any maliciously created inbox rules - named None for user 8e45cb80-5130-4f26-982e-c630b6cbb1e6.rule from the 8e45cb80-5130-4f26-982e-c630b6cbb1e6 mailbox.
- Enable complex conditional access policies for 8e45cb80-5130-4f26-982e-c630b6cbb1e6.
- Enable and enforce MFA for 8e45cb80-5130-4f26-982e-c630b6cbb1e6, if otherwise not enabled.
- Rotate the credentials for 8e45cb80-5130-4f26-982e-c630b6cbb1e6.

MDR for Microsoft 365
-----------------------
Occurred At: 2023-12-14 05:35:29 UTC
User Principal Name: [email protected]
Rule Name: Historic Inbox Rule Found Moving Messages to Conversation History Folder
Rule Description: Alert when an Inbox Rule is found during onboarding moving messages to the Conversation History folder.
Name: /....
Description: Take the following actions:
	mark the message as Read
	and move the message to folder 'Conversation History'
	and stop processing more rules on this message

Occurred At: 2023-12-14 05:35:29 UTC
User Principal Name: [email protected]
Rule Name: Historic Inbox Rule Found Moving Messages to Conversation History Folder
Rule Description: Alert when an Inbox Rule is found during onboarding moving messages to the Conversation History folder.
Name: ....
Description: If the message:
	the sender's address contains these words: '@missoulapartnership.com' or 'missoulapartnership.com' or 'chayahconsultgroup.com' or '@chayahconsultgroup.com' or 'jccscpa.com'
Take the following actions:
	mark the message as Read
	and move the message to folder 'Conversation History'
	and stop processing more rules on this message

Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.