splunk · patel-bhavin · Jul 28, 2025 · Jul 23, 2025 · Jul 23, 2025 · Jul 23, 2025
@@ -1,7 +1,7 @@
 name: O365 BEC Email Hiding Rule Created
 id: 603ebac2-f157-4df7-a6ac-34e8d0350f86
-version: 3
-date: '2025-07-01'
+version: 4
+date: '2025-07-23'
 author: '0xC0FFEEEE, Github Community'
 type: TTP
 status: production
@@ -18,6 +18,7 @@ search: |-
   | eval read_score=if(MarkAsRead="True", 1, 0) 
   | eval folder_score=if(match(MoveToFolder, "^(RSS|Conversation History|Archive)"), 1, 0) 
   | eval suspicious_score=entropy_score+len_score+read_score+folder_score 
+  | where suspicious_score>2 
   | `o365_bec_email_hiding_rule_created_filter`
 how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest
   Office 365 management activity events. You also need to have the Splunk TA URL 
@@ -28,15 +29,15 @@ references:
 - https://attack.mitre.org/techniques/T1564/008/
 drilldown_searches:
 - name: View the detection results for - "$user$"
-  search: '%original_detection_search% | search  dest = "$user$"'
+  search: '%original_detection_search% | search  user = "$user$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for $user$
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Potential BEC mailbox rule was created by $user$
+  message: Potential BEC mailbox rule - $Name$ was created by user - $user$
   risk_objects:
   - field: user
     type: user