Skill

detecting-email-account-compromise

From asi

Detects compromised Office 365 and Google Workspace email accounts by analyzing inbox rules, suspicious sign-ins, mail forwarding, and API access via Microsoft Graph and audit logs. For incident response and threat hunting.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

SKILL.md

Similar Skills

detecting-email-account-compromise

5.9k

Detects compromised Office 365 and Google Workspace email accounts via inbox rules, suspicious sign-ins, forwarding rules, and API patterns using Microsoft Graph and audit logs.

3 files

cybersecurity-skills

detecting-email-account-compromise

Detects compromised O365 and Google Workspace email accounts by analyzing inbox rules, suspicious logins, forwarding rules, and abnormal API access patterns. Useful for cybersecurity incident response.

3 files

cybersecurity-skills-zh

analyzing-office365-audit-logs-for-compromise

Parses Office 365 Unified Audit Logs via Microsoft Graph API to detect account compromise indicators like forwarding rules, inbox delegation, and OAuth grants. For SOC incident investigations and threat hunting.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting Email Account Compromise

Overview

Email account compromise (EAC) is a prevalent attack vector where adversaries gain unauthorized access to mailboxes to exfiltrate sensitive data, conduct business email compromise (BEC), or establish persistence through inbox rule manipulation. Attackers commonly create forwarding rules to siphon emails, delete rules to hide evidence, or use OAuth tokens for persistent access. Detection relies on analyzing Microsoft 365 Unified Audit Logs, Azure AD sign-in logs for impossible travel or suspicious locations, inbox rule creation events (Set-InboxRule, New-InboxRule), and Microsoft Graph API access patterns. Key indicators include forwarding rules to external addresses, rules that delete or move messages matching keywords like "invoice" or "payment", and sign-ins from unusual user agents such as python-requests.

When to Use

When investigating security incidents that require detecting email account compromise
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Microsoft 365 with Unified Audit Logging enabled
Azure AD P1/P2 for risk detection APIs
Python 3.9+ with requests, msal libraries
Microsoft Graph API application registration with Mail.Read, AuditLog.Read.All permissions
Understanding of OAuth2 client credential flows

Steps

Export audit logs or connect to Microsoft Graph API using MSAL authentication
Query inbox rules for all monitored mailboxes via /users/{id}/mailFolders/inbox/messageRules
Analyze rules for external forwarding (ForwardTo, RedirectTo external addresses)
Detect suspicious rule patterns: deletion rules, keyword-matching rules targeting financial terms
Query sign-in logs via /auditLogs/signIns for unusual locations and impossible travel
Check for suspicious user agent strings (python-requests, PowerShell, curl)
Identify OAuth application consent grants for suspicious third-party apps
Correlate findings across users to detect campaign-level compromise
Generate compromise indicators report with severity scores

Expected Output

A JSON report listing compromised or suspicious accounts, malicious inbox rules detected, impossible travel events, suspicious OAuth grants, and recommended containment actions with severity ratings.