Skill

detecting-email-account-compromise

Detects compromised Office 365 and Google Workspace email accounts via inbox rules, suspicious sign-ins, forwarding rules, and API patterns using Microsoft Graph and audit logs.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Detecting Email Account Compromise

Overview

Email account compromise (EAC) is a prevalent attack vector where adversaries gain unauthorized access to mailboxes to exfiltrate sensitive data, conduct business email compromise (BEC), or establish persistence through inbox rule manipulation. Attackers commonly create forwarding rules to siphon emails, delete rules to hide evidence, or use OAuth tokens for persistent access. Detection relies on analyzing Microsoft 365 Unified Audit Logs, Azure AD sign-in logs for impossible travel or suspicious locations, inbox rule creation events (Set-InboxRule, New-InboxRule), and Microsoft Graph API access patterns. Key indicators include forwarding rules to external addresses, rules that delete or move messages matching keywords like "invoice" or "payment", and sign-ins from unusual user agents such as python-requests.

When to Use

When investigating security incidents that require detecting email account compromise
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Microsoft 365 with Unified Audit Logging enabled
Azure AD P1/P2 for risk detection APIs
Python 3.9+ with requests, msal libraries
Microsoft Graph API application registration with Mail.Read, AuditLog.Read.All permissions
Understanding of OAuth2 client credential flows

Steps

Export audit logs or connect to Microsoft Graph API using MSAL authentication
Query inbox rules for all monitored mailboxes via /users/{id}/mailFolders/inbox/messageRules
Analyze rules for external forwarding (ForwardTo, RedirectTo external addresses)
Detect suspicious rule patterns: deletion rules, keyword-matching rules targeting financial terms
Query sign-in logs via /auditLogs/signIns for unusual locations and impossible travel
Check for suspicious user agent strings (python-requests, PowerShell, curl)
Identify OAuth application consent grants for suspicious third-party apps
Correlate findings across users to detect campaign-level compromise
Generate compromise indicators report with severity scores

Expected Output

A JSON report listing compromised or suspicious accounts, malicious inbox rules detected, impossible travel events, suspicious OAuth grants, and recommended containment actions with severity ratings.