Playbook: Email Account Takeover Response
ID: PB-42
Severity: High | Category: Collection / Impact
MITRE ATT&CK: T1114 (Email Collection), T1114.003 (Email Forwarding Rule)
Trigger: User report (suspicious sent emails), SIEM (new inbox rule), M365/Google alert (impossible travel login to mail), DLP (sensitive data forwarded)
⚠️ CRITICAL: Email account takeover enables BEC fraud, data exfiltration via forwarding rules, and supply chain attacks against contacts.
Email Takeover Attack Flow
graph LR
A["1️⃣ Credential Theft\nPhishing/spray"] --> B["2️⃣ Mailbox Login\nOWA/IMAP/API"]
B --> C["3️⃣ Inbox Rules\nForward to external"]
C --> D["4️⃣ Reconnaissance\nRead emails/contacts"]
D --> E["5️⃣ BEC Attack\nImpersonate user"]
E --> F["6️⃣ Financial Fraud\nWire transfer"]
style A fill:#ffcc00,color:#000
style C fill:#ff6600,color:#fff
style E fill:#ff4444,color:#fff
style F fill:#660000,color:#fff
Attacker Actions in Mailbox
graph TD
Access["📧 Mailbox Access"] --> Rules["Create forwarding rules\nmailbox → external"]
Access --> Read["Read sensitive emails\nfinancial, contracts"]
Access --> Delete["Delete security alerts\nhide presence"]
Access --> Send["Send phishing emails\nfrom trusted account"]
Access --> Contacts["Harvest contact list\nfor future attacks"]
Access --> OAuth["Create OAuth app\npersistent access"]
style Access fill:#ff6600,color:#fff
style Rules fill:#cc0000,color:#fff
style OAuth fill:#cc0000,color:#fff
Decision Flow
graph TD
Alert["🚨 Email Anomaly Detected"] --> Type{"Alert type?"}
Type -->|"New inbox rule"| Rule["Check rule: external forwarding?\nAuto-delete?"]
Type -->|"Unusual login"| Login["GeoIP + device check\nMobile/OWA/IMAP?"]
Type -->|"User report"| Report["User says 'emails I didn't send'\nor 'missing emails'"]
Type -->|"OAuth app"| OAuth["New app with mail permissions?\nUnknown publisher?"]
Rule --> Malicious{"Rule sends to external domain?"}
Malicious -->|Yes| Contain["🔴 CONTAIN\nRemove rule + reset password"]
Malicious -->|"No — Internal"| Review["Review rule purpose"]
Login --> Known{"Known device/location?"}
Known -->|No| Contain
Known -->|Yes| Monitor["Monitor"]
Report --> Contain
OAuth --> Contain
style Alert fill:#ff6600,color:#fff
style Contain fill:#cc0000,color:#fff
Investigation Workflow
sequenceDiagram
participant Alert as Alert Source
participant SOC as SOC Analyst
participant M365 as M365/Google Admin
participant User
participant IR as IR Team
Alert->>SOC: 🚨 Suspicious email activity
SOC->>M365: Pull audit logs (sign-in + mailbox)
M365->>SOC: Return login IPs, inbox rules, sent items
SOC->>SOC: Identify unauthorized inbox rules
SOC->>M365: Remove malicious rules immediately
SOC->>User: Notify — account compromised
SOC->>M365: Force password reset + revoke sessions
SOC->>IR: Escalate — check for BEC fraud
IR->>M365: Review sent/deleted items for damage
IR->>SOC: Check contacts for ongoing phishing
Email Rule Types to Monitor
graph TD
subgraph "🔴 High Risk Rules"
R1["Auto-forward to external email"]
R2["Auto-delete specific emails"]
R3["Move security alerts to Deleted"]
R4["Forward invoices/payments"]
end
subgraph "🟡 Medium Risk Rules"
R5["Forward to personal email"]
R6["Auto-reply with OOO"]
R7["Move emails to hidden folder"]
end
subgraph "🟢 Normal Rules"
R8["Sort by sender to folders"]
R9["Flag emails with keywords"]
R10["Auto-categorize"]
end
style R1 fill:#cc0000,color:#fff
style R2 fill:#cc0000,color:#fff
style R4 fill:#cc0000,color:#fff
Impact Assessment
graph TD
Impact["Impact Assessment"] --> DataRead{"Sensitive emails read?"}
DataRead -->|No| Low["🟢 Low\nCredential compromise only"]
DataRead -->|Yes| Forward{"Data forwarded externally?"}
Forward -->|No| Med["🟡 Medium\nData exposure risk"]
Forward -->|Yes| BEC{"BEC fraud attempted?"}
BEC -->|No| High["🟠 High\nData breach"]
BEC -->|Yes| Money{"Money transferred?"}
Money -->|No| VHigh["🔴 Critical\nBEC attempt blocked"]
Money -->|Yes| Cat["💀 Financial Loss\nContact bank immediately"]
style Impact fill:#333,color:#fff
style Cat fill:#660000,color:#fff
Response Timeline
gantt
title Email Account Takeover Response
dateFormat HH:mm
axisFormat %H:%M
section Detection
Alert received :a1, 00:00, 5min
Verify unauthorized :a2, after a1, 10min
section Containment
Remove inbox rules :a3, after a2, 5min
Reset password & MFA :a4, after a3, 10min
Revoke OAuth apps :a5, after a4, 10min
section Investigation
Audit mailbox activity :a6, after a5, 60min
Check sent/deleted :a7, after a6, 30min
Assess BEC risk :a8, after a7, 60min
section Recovery
Notify affected parties :a9, after a8, 30min
| # |
Action |
Owner |
| 1 |
Remove ALL suspicious inbox rules (forwarding, auto-delete) |
M365/Google Admin |
| 2 |
Reset user password immediately |
IAM Team |
| 3 |
Revoke all active sessions and tokens |
M365/Google Admin |
| 4 |
Revoke any unknown OAuth/app permissions |
M365/Google Admin |
| 5 |
Re-enroll MFA with a new device/method |
IAM Team |
| 6 |
Check Sent and Deleted Items for attacker actions |
SOC T2 |
2. Investigation Checklist
Mailbox Audit
BEC Assessment
Data Exposure
3. Containment
| Scope |
Action |
| Inbox rules |
Remove all forwarding/delete rules |
| Password |
Force reset + MFA re-enrollment |
| Sessions |
Revoke all active sessions/tokens |
| OAuth |
Remove unknown app permissions |
| Delegates |
Remove unauthorized delegate access |
4. Post-Incident
| Question |
Answer |
| How were email credentials compromised? |
[Phishing/spray/leak] |
| Were inbox rule alerts configured? |
[Yes/No] |
| Was conditional access policy enforced? |
[Status] |
| Were financial controls (dual approval) in place? |
[Status] |
6. Detection Rules (Sigma)
title: Suspicious Email Forwarding Rule Created
logsource:
product: m365
service: exchange
detection:
selection:
Operation: 'New-InboxRule'
Parameters|contains:
- 'ForwardTo'
- 'RedirectTo'
- 'ForwardAsAttachmentTo'
condition: selection
level: high
References