This article is contributed. See the original author and article here.

Automation in Cloud App Security: Auto-disable Malicious Inbox Rule 


 


By @Caroline_Lee & @Sebastien Molendijk 


 


Welcome back to the Automation in Cloud App Security blog series. For those of you who have been keeping up with us, what do you think of the templates so far? Any feedback? If you are new to this series and are joining us for the first time, I encourage you to go check out our last three posts: https://aka.ms/MCAS/Auto-Bloghttps://aka.ms/MCAS/Auto-Triage & https://aka.ms/MCAS/Auto-ActionIn this series, we showcase various Power Automate flows that help to mitigate advanced customer scenarios we see today in Microsoft Cloud App Security (MCAS). 


 


Today, we have an awesome Power Automate template to share with you all on how to auto-disable malicious inbox forwarding rules.  


 


If you are unfamiliar with malicious inbox forwarding rule, attackers who gain access to a user’s credentials can create mailbox rules to forward emails to exfiltrate sensitive company data. MCAS has a built-in policy to detect this activity based on the learned behavior of a user and alert if they are potentially compromised. We walkthrough how users can investigate these types of anomalies in our investigation guide. 


 


 


We’ve taken it one step further by creating a flow that will auto-disable a malicious inbox rule if detected. The flow will initiate once an alert is generated in Cloud App Security. We’ll collect details on the compromised user, their manager, and we’ll call the MCAS API using the Provider Alert ID which is an internal ID to gain more information on the alert than what’s given by default.  


 


The most important value we see from the MCAS API is the “ruleName,” this show the inbox rule names which we’ll use to identify a malicious inbox rule i.e. “…” 


 


We will also call the Microsoft Graph to obtain a specific ID that correlates with the ruleIDUsing the ID retrieved from the Microsoft Graph API, ia malicious inbox rule is found, then the rule will be disabled. The flow will also resolve the alert in Cloud App Security and send an email to the user and the user’s manager to inform them that a remediation action was applied and the rule was disabled. 


 


Pairing this flow with the alert generated in Cloud App Security not only allows users to stay alert on rules that are exfiltrating data but goes one step further by disabling the rule itself. Let us know what you think of this template & if there are any use cases you’d like us to explore! 


 


Github template: https://github.com/microsoft/Microsoft-Cloud-App-Security/tree/master/Playbooks 


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.