detection.wiki

Hide Artifacts: Email Hiding Rules T1564.008

Tactic: Stealth

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.

Events covered

1 catalog event is tagged with this technique by at least one rule.

ProviderEventTitle
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 9 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (19 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Operation5eq 2, in 2, contains 1, ends_with 1New-InboxRule, Set-InboxRule, Disable-*, New-*, Remove-*
Workload3eq 3Exchange
sourcetype3eq 3o365:management:activity
EventType2in 2New-InboxRule, Set-InboxRule
ScriptBlockText2contains 2deletemessage, forwardasattachmentto, forwardingaddress, forwardingsmtpaddress, markasread
data_stream.dataset2eq 2o365.audit
event.outcome2eq 2success
m365::Parameters2contains 2deletemessage, forwardasattachmentto, forwardingaddress, forwardingsmtpaddress, markasread
Esql.inbox_rule_name1regex_match 1[!@#$%^&*()_+={[\]|\\:;"'<,>.?/~` \-]+
Parameters{}.Name1in 1CopyToFolder, DeleteMessage, ForwardAsAttachmentTo
Provider_Name1eq 1Exchange
m365::ObjectId1is_not_null 1
m365::OperationProperties1contains 1forward, recipients
o365.audit.Parameters.BodyContainsWords1eq 1\u0000
o365.audit.Parameters.DeleteMessage1eq 1True

Top indicator values (75 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Workloadeq
Exchange
320
sourcetypeeq
o365:management:activity
380
EventTypein
New-InboxRule
23
EventTypein
Set-InboxRule
23
Operationeq
New-InboxRule
25
Operationeq
Set-InboxRule
22
ScriptBlockTextcontains
new-inboxrule
22
ScriptBlockTextcontains
set-inboxrule
22
data_stream.dataseteq
o365.audit
245
event.outcomeeq
success
2251
Esql.inbox_rule_nameregex_match
[!@#$%^&*()_+={[\]|\\:;"'<,>.?/~` \-]+
1
Operationcontains
new-inboxrule
1
Operationcontains
set-inboxrule
1
Operationcontains
set-mailbox
1
Operationcontains
updateinboxrules
1
Operationends_with
transportrule
1
Operationin
Disable-*
12
Operationin
New-*
12
Operationin
New-InboxRule
13
Operationin
Remove-*
12
Operationin
Set-*
12
Operationin
Set-InboxRule
13
Parameters{}.Namein
CopyToFolder
1
Parameters{}.Namein
DeleteMessage
1
Parameters{}.Namein
ForwardAsAttachmentTo
1
Parameters{}.Namein
ForwardTo
1
Parameters{}.Namein
MoveToFolder
1
Parameters{}.Namein
RedirectTo
1
Parameters{}.Namein
SoftDeleteMessage
1
Provider_Nameeq
Exchange
119

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 4 rules

Elastic 2 rules

Splunk 3 rules