Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=ms-graph-v2-cases

MS Graph security API V2 case studies

API Productivity

MDR identified one user with eight different IP addresses, two different Chrome version user agent strings, and both Windows NT and Macintosh as the OS in the user agent strings, all within the same session. This type of action is commonly caused by an Adversary in the Middle (AiTM) platform like Evilginx, Modlishka, or Muraena, where the user's credentials and tokens are captured and then replayed by the adversary from a new IP where the attacker logs into M365 with the token or credentials.

After a thorough investigation, MDR identified six other users within the same customer who had been compromised, including multiple users with inbox rules with the following interesting attributes:

  • MarkAsRead: When this parameter is true, the email is marked as Read. Adversaries use this tactic to assist with hiding compromise.
  • Name: The name given to the inbox rule. In this instance, the adversary made the name "s". Adversaries typically use short names to draw less attention to the inbox rule.
  • SubjectOrBodyContainsWords: Adversaries can use the SubjectOrBodyContainsWords attribute to filter emails for keywords. In this instance, the adversary filtered for keywords and then moved the matching emails.
  • DeleteMessage: When DeleteMessage is True, the email is deleted, and the end user isn't aware that the email exists.

Putting all these attributes together, we can see that when the user receives an email where the subject or body contains "hacked", "phishing", "malicious", "suspicious", "fraud", "MFA", or "spoof", the email is marked as read and then deleted. This hides from the end user the fact that they may be compromised.