creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/detecting-email-forwarding-rules-attack/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.8 KiB
Raw Blame History

API Reference: Detecting Email Forwarding Rules Attack

Microsoft Graph API - Inbox Rules

GET https://graph.microsoft.com/v1.0/users/{user-id}/mailFolders/inbox/messageRules
Authorization: Bearer {token}

# Response
{
  "value": [
    {
      "displayName": "Forward invoices",
      "isEnabled": true,
      "conditions": {"subjectContains": ["invoice", "payment"]},
      "actions": {
        "forwardTo": [{"emailAddress": {"address": "attacker@evil.com"}}],
        "delete": true,
        "markAsRead": true
      }
    }
  ]
}

Exchange Online PowerShell

# List all inbox rules for a user
Get-InboxRule -Mailbox user@company.com | FL Name, ForwardTo, RedirectTo, DeleteMessage

# Find forwarding rules across all mailboxes
Get-Mailbox -ResultSize Unlimited | ForEach-Object {
    Get-InboxRule -Mailbox $_.UserPrincipalName |
    Where-Object { $_.ForwardTo -or $_.RedirectTo }
}

# Search unified audit log for rule creation
Search-UnifiedAuditLog -Operations "New-InboxRule","Set-InboxRule" -StartDate (Get-Date).AddDays(-30)

Suspicious Rule Indicators

Indicator Severity Description
External forwarding HIGH Forwards to non-org domain
Forward + delete CRITICAL Forwards then deletes original
Financial keywords HIGH Targets invoice/payment subjects
Forward + mark read HIGH Hides forwarded messages
Move to RSS/Junk MEDIUM Hides messages in unused folders

Splunk SPL Detection

index=o365 Operation IN ("New-InboxRule", "Set-InboxRule")
| spath output=forward path=Parameters{}.Value
| where isnotnull(forward) AND NOT match(forward, "@company\\.com")

CLI Usage

python agent.py --token "eyJ..." --user-id user@company.com --org-domain company.com
python agent.py --audit-log exchange_audit.log
Reference in New Issue View Git Blame Copy Permalink