Detects compromised O365 and Google Workspace email accounts by analyzing inbox rules, suspicious logins, forwarding rules, and abnormal API access patterns. Useful for cybersecurity incident response.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
邮件账号攻陷(Email Account Compromise,EAC)是一种常见攻击手法,攻击者通过未授权访问邮箱来窃取敏感数据、实施商业邮件欺诈(Business Email Compromise,BEC)或通过收件箱规则操纵建立持久化。攻击者通常会创建转发规则来截取邮件、创建删除规则以掩盖痕迹,或使用 OAuth 令牌维持持久访问。检测方法包括:分析 Microsoft 365 统一审计日志(Unified Audit Logs)、Azure AD 登录日志中的不可能旅行(Impossible Travel)或可疑位置、收件箱规则创建事件(Set-InboxRule、New-InboxRule)以及 Microsoft Graph API 访问模式。关键指标包括:转发规则指向外部地址、匹配"invoice"或"payment"等关键词的删除/移动规则,以及来自 python-r...
Detects compromised Office 365 and Google Workspace email accounts via inbox rules, suspicious sign-ins, forwarding rules, and API patterns using Microsoft Graph and audit logs.
Detects compromised Office 365 and Google Workspace email accounts by analyzing inbox rules, suspicious sign-ins, mail forwarding, and API access via Microsoft Graph and audit logs. For incident response and threat hunting.
Analyzes Office 365 unified audit logs via Microsoft Graph API to detect account compromise indicators: forwarding rules, inbox delegation, suspicious OAuth apps, BEC traces. Useful for cloud security investigations.
Share bugs, ideas, or general feedback.
邮件账号攻陷(Email Account Compromise,EAC)是一种常见攻击手法,攻击者通过未授权访问邮箱来窃取敏感数据、实施商业邮件欺诈(Business Email Compromise,BEC)或通过收件箱规则操纵建立持久化。攻击者通常会创建转发规则来截取邮件、创建删除规则以掩盖痕迹,或使用 OAuth 令牌维持持久访问。检测方法包括:分析 Microsoft 365 统一审计日志(Unified Audit Logs)、Azure AD 登录日志中的不可能旅行(Impossible Travel)或可疑位置、收件箱规则创建事件(Set-InboxRule、New-InboxRule)以及 Microsoft Graph API 访问模式。关键指标包括:转发规则指向外部地址、匹配"invoice"或"payment"等关键词的删除/移动规则,以及来自 python-requests 等异常 User-Agent 的登录行为。
requests、msal 库/users/{id}/mailFolders/inbox/messageRules 查询所有受监控邮箱的收件箱规则/auditLogs/signIns 查询登录日志,检查异常位置和不可能旅行JSON 格式报告,列出受攻陷或可疑账号、检测到的恶意收件箱规则、不可能旅行事件、可疑 OAuth 授权,以及带严重级别评级的建议遏制措施。