Command Zero
Narration by Agent Zero
Highrun-e6d11c71-44a8-436f-a3f6-a156324c535e
Account Compromise
High confidence
  • account-compromise
  • business-email-compromise
  • inbox-rules
  • session-token-reuse
  • exchange-online
  • defense-evasion

Covert Inbox Rule Signals Account Compromise via Anonymous Proxy

An attacker used a stolen session token to access a director's Exchange mailbox from an anonymous proxy IP, executing 81 operations including a covert inbox rule designed to intercept emails from specific external contacts. Administrator confirmation and HIBP breach data corroborate the account compromise.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
5m 9s
INVESTIGATION TIME
Autonomous
42
QUESTIONS ASKED
CISCO, HAVEIBEENPWNED, IPDATA, MICROSOFT 365 DEFENDER, MICROSOFT DEFENDER XDR, MICROSOFT ENTRA, MICROSOFT EXCHANGE
219
RECORDS ANALYZED
Across all data sources
~4 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$311
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On April 23, 2026, Microsoft Defender for Cloud Apps detected a suspicious inbox rule creation in the mailbox of user_1@[INTERNAL_DOMAIN_1].com, a Director of [ROLE_1] at [ORG_1]. The alert was triggered by a Set-InboxRule operation (MITRE T1564.008 — Email Hiding Rules) executed from an anonymous proxy IP ([EXTERNAL_IP_1], DataCamp Limited, Frankfurt, Germany) at 20:01:40Z. What made this signal stand out: the rule was named "Alex Morgan" and configured to silently intercept emails containing specific keywords (`contact1@[EXTERNAL_DOMAIN_1].com`, `Alex Morgan`, `contact2@[EXTERNAL_DOMAIN_2].com`), marking them as read and moving them to the RSS Subscriptions folder—a classic concealment pattern with no legitimate business justification. The investigation correlated this alert with 81 successful Exchange Online operations executed from the same anonymous proxy IP during a 46-minute window (19:15:59Z–20:02:00Z), including 44 MailItemsAccessed events and 36 Update operations modifying attachment collections across business-sensitive folders. Critically, no Entra ID sign-in record existed for the proxy IP, indicating the attacker was reusing a session token obtained from an earlier legitimate sign-in. The session ID (8f3e2b7d-1a9c-4f0e-bc35-d927416a5f1c) appeared in successful authentications from Santa Clara, Chicago, and Sand Springs within approximately two hours—geographically implausible for a Nashville-based employee whose device remained active in Nashville throughout the period. An administrator confirmed the account as compromised (riskState: confirmedCompromised, riskDetail: adminConfirmedUserCompromised) approximately 30 minutes after the inbox rule event, marking the end of the autonomous investigation phase (~5 minutes across 42 data source queries).

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be suspicious activity rather than confirmed compromise?

Ruled out
Supporting Evidence
81 successful Exchange operations from anonymous proxy
Moderate
Supporting Evidence
Set-InboxRule with concealment configuration
Moderate
Supporting Evidence
Administrator confirmed compromise (riskDetail: adminConfirmedUserCompromised)
Moderate
Dismissed:The evidence crosses the threshold from suspicious to confirmed compromise. The combination of: authenticated Exchange access from an anonymous proxy with no Entra sign-in, 81 successful mailbox operations, a covert inbox rule with specific keyword targeting, session token reuse across anomalous IPs, and an administrator's manual confirmation of compromise collectively constitute cogent multi-source evidence. A 'Suspicious' verdict would understate the weight of evidence and the organizational determination already made.·High confidence
H2

Could this be a false positive?

Ruled out
Supporting Evidence
No Entra sign-in record for [EXTERNAL_IP_1] (could suggest automated process)
Moderate
Supporting Evidence
User's on-premises device activity was normal throughout the period
Moderate
Supporting Evidence
MFA was completed for the session (Santa Clara sign-in)
Moderate
Dismissed:A false positive would require the anonymous proxy access, the covert inbox rule, the session token reuse across anomalous IPs, and the administrator's manual compromise confirmation to all be explainable as benign. No plausible benign explanation exists for the inbox rule's design (hide specific correspondence, stop rule processing) created from an anonymous proxy IP with no prior access history. The administrator confirmation is a deliberate human judgment, not an automated artifact.·High confidence
H3

Could this be a fully compromised system rather than just account compromise?

Ruled out
Supporting Evidence
81 Exchange operations including mail access and attachment modification
Moderate
Supporting Evidence
Covert inbox rule installation (persistence/defense evasion)
Moderate
Supporting Evidence
No evidence of lateral movement in DeviceLogonEvents
Moderate
Dismissed:The evidence establishes account compromise with a persistence mechanism (inbox rule) and mailbox reconnaissance/access. However, the available evidence does not demonstrate post-exploitation objectives beyond the email account itself—no lateral movement to other systems, no credential harvesting from endpoints, no data staging or exfiltration to external destinations, and no C2 communication are evidenced. The on-premises device logon events show normal behavior. Account Compromise is the more precisely calibrated verdict for the observed scope of attacker activity.·Medium confidence
H4

Could this be malicious insider activity?

Ruled out
Supporting Evidence
Anonymous proxy IP with no prior access history
Moderate
Supporting Evidence
No Entra sign-in record for [EXTERNAL_IP_1]
Moderate
Supporting Evidence
User's device active from Nashville earlier same day
Moderate
Dismissed:The activity originates from an anonymous proxy IP (DataCamp Limited, Frankfurt, Germany) with no prior access history for this user, and no Entra sign-in record exists for this IP. The user's legitimate activity was occurring from Nashville corporate infrastructure earlier the same day. The inbox rule was created from the proxy IP, not from the user's known devices or locations. The pattern is consistent with an external actor using a stolen session token, not an insider using their own credentials from an unusual location.·High confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

Cloud Application Activity Log
IP [EXTERNAL_IP_1] (DataCamp Limited, anonymous proxy, VPN score 100) executed 81 successful Exchange Online operations in a 46-minute window on 2026-04-23 (19:15:59Z–20:02:00Z): 44 MailItemsAccessed events across Sent Items, Inbox subfolders ([FOLDER_1], [FOLDER_2], [ORG_1] Legal/[FOLDER_3], [FOLDER_4]), and 36 Update operations modifying AttachmentCollection properties on business emails referencing invoices, payments, and licensing. All operations returned ResultStatus Succeeded. Both ActionType and ISP were flagged as UncommonForUser for the Set-InboxRule event.
Methodology: Microsoft Defender for Cloud Apps provides detailed activity logs from cloud services including Exchange Online, SharePoint, and OneDrive. It includes location data, user agent details, and activity objects, enabling deeper analysis of cloud application activities and identifying anomalous patterns.
Microsoft Defender for Cloud Apps
Exchange Audit Log
Set-InboxRule operation at 2026-04-23T20:01:40Z from IP [EXTERNAL_IP_1] via Outlook Web Access (MSExchangeOWAAppPool, session 8f3e2b7d-1a9c-4f0e-bc35-d927416a5f1c). Rule named 'Alex Morgan' configured to: mark as read, move to RSS Subscriptions folder, stop processing rules—triggered when subject/body contains 'contact1@[EXTERNAL_DOMAIN_1].com', 'Alex Morgan', or 'contact2@[EXTERNAL_DOMAIN_2].com'. Operation completed with ResultStatus True. This rule silently hides targeted correspondence from the legitimate user's inbox view.
Methodology: Exchange audit logs capture mailbox operations including inbox rule creation, modification, and deletion. Analyzing these logs helps identify unauthorized rule changes that may indicate account compromise or insider threats. Inbox rules are commonly used by attackers to hide evidence of compromise or intercept sensitive communications.
Microsoft 365 Exchange Online Audit
Sign-In Log
Session ID 8f3e2b7d-1a9c-4f0e-bc35-d927416a5f1c—the same session used during the anonymous proxy Exchange activity—appears in successful Entra sign-ins from: Santa Clara ([EXTERNAL_IP_2], Tencent, 17:58:32Z with MFA via mobile app notification), Chicago ([EXTERNAL_IP_3], AT&T, 19:15:28Z and 19:15:38Z, 'Previously satisfied'), and Sand Springs OK ([EXTERNAL_IP_4], AT&T, 19:49:20Z–19:49:42Z, 'Previously satisfied'). No Entra sign-in record exists for [EXTERNAL_IP_1], indicating the proxy session used a token obtained from the Santa Clara sign-in rather than presenting credentials directly.
Methodology: Entra ID sign-in logs record authentication events including successful and failed sign-in attempts, MFA challenges, and conditional access policy evaluations. Analyzing sign-in logs helps identify anomalous authentication patterns, impossible travel, and session token reuse across geographically dispersed locations.
Microsoft Entra ID (Azure AD) Beta Sign-In Logs
Threat Intelligence / IP Enrichment
[EXTERNAL_IP_1] classified as: is_anonymous: true, is_datacenter: true, is_vpn: true, vpn_score: 100, hosted by DataCamp Limited (AS212238), geolocated to Frankfurt am Main, Germany. Listed on ipdata.co VPN blocklist. This IP is not associated with any known [ORG_1] corporate infrastructure and is inconsistent with the user's established access pattern (Nashville corporate IP [EXTERNAL_IP_6], AT&T residential IPs in Houston/Wichita).
Methodology: IP enrichment services provide geolocation, hosting organization, VPN/proxy classification, and threat reputation data. This information helps analysts assess whether an IP address is associated with legitimate corporate infrastructure or represents a potential security risk from anonymous proxies, VPNs, or known threat infrastructure.
IPData / c0-ipdata enrichment
Risk Detection Record
Risk detection for user_1@[INTERNAL_DOMAIN_1].com (object ID [ENTRA_OBJECT_ID_1]) recorded at 2026-04-23T20:32:09Z with riskState: confirmedCompromised, riskLevel: high, riskDetail: adminConfirmedUserCompromised. This represents a deliberate human administrative determination of account compromise, not an automated risk score. The account was not deleted (isDeleted: false) and no automated remediation was pending (isProcessing: false) at time of record.
Methodology: Microsoft Entra ID Protection detects identity-based risks including compromised credentials, atypical travel, and anomalous sign-in patterns. Administrator-confirmed compromise determinations (riskDetail: adminConfirmedUserCompromised) represent deliberate human judgments that override automated risk scoring.
Microsoft Entra ID Protection
HIBP Breach Data
user_1@[INTERNAL_DOMAIN_1].com appears in 10 breach records including Operation Endgame (2024-05-30, verified, law enforcement botnet takedown yielding 16.4M email/password pairs), Onliner Spambot (2017, 711M records with passwords), Anti Public Combo List (2016, 457M credential stuffing list), and MySpace (2008, 359M SHA1 password hashes). These breaches provide a plausible mechanism for credential acquisition by a threat actor.
Methodology: Have I Been Pwned aggregates publicly disclosed data breaches and credential lists. Email addresses appearing in HIBP breaches indicate credential exposure that may enable credential stuffing, password spray, or other account takeover attacks. Multiple breach appearances increase the likelihood that credentials were compromised.
Have I Been Pwned
User Activity Summary
The Set-InboxRule from anonymous proxy occurred approximately 1 hour 12 minutes after the last legitimate activity from Nashville corporate IP ([EXTERNAL_IP_6], last seen 18:49:24Z on 2026-04-23). The user's established pattern shows consistent access from Nashville ([ORG_1] corporate network, confirmed by IPData company attribution to [ORG_1]), with occasional AT&T residential access from Houston and Wichita. The anonymous proxy session represents a clear behavioral deviation with no precedent in the observed baseline.
Methodology: User activity summaries aggregate cloud application events by IP address, location, and device type. Comparing current activity against established baseline patterns helps identify behavioral deviations that may indicate account compromise or unauthorized access.
Microsoft Defender for Cloud Apps—User Activity
Safe Links / URL Click Telemetry
On 2026-04-23 at 17:56:25Z and 17:59:30Z, user_1@[INTERNAL_DOMAIN_1].com clicked SharePoint links from [EXTERNAL_DOMAIN_2]-my.sharepoint.com (a personal SharePoint site belonging to user 'angie') from Nashville IP [EXTERNAL_IP_6]. The inbox rule created by the attacker includes 'contact2@[EXTERNAL_DOMAIN_2].com' as a keyword trigger, suggesting the attacker reviewed the user's email to identify this contact and then created a rule to intercept future correspondence with her—consistent with BEC reconnaissance and interception behavior.
Methodology: Safe Links click events record when users interact with URLs in emails and documents. Correlating Safe Links telemetry with inbox rule creation can reveal whether attackers performed mailbox reconnaissance before installing persistence mechanisms or interception rules.
Microsoft Defender XDR Advanced Hunting

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. FPV-1
    Check whether the anonymous proxy IP ([EXTERNAL_IP_1]) could represent a corporate VPN or authorized remote access infrastructure.
    Fail
  2. FPV-2
    Evaluate whether the inbox rule 'Alex Morgan' could have been created by the legitimate user for a benign purpose.
    Fail
  3. FPV-4
    Verify whether the administrator confirmation of compromise (riskDetail: adminConfirmedUserCompromised) could be an error or automated action.
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Suspicious inbox manipulation ruleAnomalous mailbox accessSession token reuse
TechniqueTacticContext
T1564.008
Email Hiding Rules
Defense EvasionFlag Set-InboxRule, New-InboxRule, or Enable-InboxRule operations that create rules with concealment patterns: moving messages to non-standard folders (RSS Subscriptions, Deleted Items, Archive), marking as read without user interaction, or stopping further rule processing. Alert on rules triggered by keywords associated with financial transactions, executive communications, or external partner contacts. Correlate inbox rule creation with anomalous sign-in activity (anonymous proxies, impossible travel, token reuse) and absence of corresponding Entra sign-in records for the IP executing the rule.
T1114.003
Email Collection: Forwarding Rule
CollectionMonitor for bulk MailItemsAccessed events (>30 in a single session) combined with Update operations modifying AttachmentCollection properties, especially when originating from anonymous proxy IPs or VPN infrastructure. Flag sessions where the IP has no prior access history for the user and does not appear in Entra sign-in logs. Correlate with Safe Links telemetry to identify whether the attacker reviewed the user's recent email interactions before creating targeted interception rules.
T1078.004
Use of Legitimate Credentials: Cloud Accounts
Lateral MovementDetect session token reuse across geographically dispersed IPs within short timeframes (e.g., Santa Clara, Chicago, Sand Springs within 2 hours). Flag sessions where authentication is satisfied via 'Previously satisfied' claims rather than fresh MFA challenges, especially when the legitimate user's device is simultaneously active in a different geographic location. Cross-reference session IDs across Exchange audit logs, Entra sign-in logs, and Defender for Cloud Apps to identify token reuse patterns.

Verdict Reasoning

The verdict of Account Compromise at high confidence rests on the following mutually corroborating signals:

1. Authenticated mailbox access from a classified anonymous proxy IP (DataCamp Limited, VPN score 100) with no corresponding Entra sign-in record, indicating token reuse rather than credential presentation—81 successful Exchange operations executed in a 46-minute window

2. A covert inbox rule with specific keyword targeting (`contact1@[EXTERNAL_DOMAIN_1].com`, `Alex Morgan`, `contact2@[EXTERNAL_DOMAIN_2].com`) configured to hide correspondence without deletion, a pattern inconsistent with legitimate user behavior and flagged as UncommonForUser by Defender for Cloud Apps

3. Session token reuse across geographically dispersed IPs (Santa Clara, Chicago, Sand Springs) within ~2 hours on the same day, with authentication satisfied via "Previously satisfied" claims from an earlier MFA-completing sign-in, while the user's device remained active in Nashville

4. Administrator confirmation of compromise (riskDetail: adminConfirmedUserCompromised) recorded at 20:32:09Z, representing a deliberate human determination rather than an automated risk score

5. Credential exposure via 10 HIBP breaches including Operation Endgame

6. providing a plausible acquisition vector for the initial compromise. Confidence is High rather than Confirmed because the available telemetry does not evidence post-exploitation objectives beyond the email account itself (no lateral movement, no endpoint compromise, no external data staging), leaving the full scope of attacker objectives undetermined

Lessons

  1. 01
    Session token reuse is harder to detect than credential reuse. In this investigation, the attacker obtained a valid session token from a legitimate MFA-completing sign-in (Santa Clara, 17:58:32Z) and reused it across four geographically implausible IPs within two hours. The absence of Entra sign-in records for the anonymous proxy IP initially appeared to be a gap in telemetry; in fact, it was the key indicator of token reuse. Lesson: when an IP shows successful cloud application activity but no corresponding Entra sign-in record, investigate whether the session token was obtained from a prior sign-in. Correlate session IDs across Exchange audit logs, Defender for Cloud Apps, and Entra logs to detect token reuse patterns that credential-based detection would miss.
  2. 02
    Inbox rule concealment patterns are more reliable than forwarding rules. This attacker did not create an external forwarding rule (which would trigger immediate alerts and leave obvious exfiltration paths). Instead, they created a rule that marks targeted emails as read and moves them to a non-standard folder (RSS Subscriptions), hiding correspondence from the legitimate user without deleting it. This pattern is harder to detect because it does not involve external recipients or bulk data movement. Lesson: monitor for inbox rules that combine three elements: (1) non-standard destination folders, (2) keyword triggers matching the user's known external contacts, (3) stop-processing directives that prevent other rules from executing. These patterns indicate surveillance and concealment, not legitimate mail organization.
  3. 03
    Attacker reconnaissance is visible in Safe Links telemetry. The attacker created an inbox rule targeting `contact2@[EXTERNAL_DOMAIN_2].com` as a keyword trigger. On the same day, the legitimate user had clicked Safe Links to `[EXTERNAL_DOMAIN_2]-my.sharepoint.com` from the Nashville corporate IP. This correlation suggests the attacker reviewed the user's email to identify high-value external contacts before creating the interception rule. Lesson: when investigating inbox rule creation, cross-reference the rule's keyword triggers with the user's recent Safe Links clicks and email activity. If the keywords match recent external contacts, the attacker likely performed mailbox reconnaissance before installing persistence mechanisms.
  4. 04
    Administrator confirmation of compromise is a strong signal, but scope remains uncertain. The administrator confirmed the account as compromised (riskDetail: adminConfirmedUserCompromised) 30 minutes after the inbox rule event. This human judgment carries high weight and correctly identified the compromise. However, the available telemetry does not evidence post-exploitation objectives beyond the email account itself—no lateral movement, no endpoint compromise, no external data staging. Lesson: administrator confirmation should trigger immediate containment (password reset, session revocation, MFA re-registration), but the investigation should continue to determine whether the attacker accessed other systems, exfiltrated data, or established additional persistence mechanisms. Do not assume the scope of compromise is limited to the email account.
  5. 05
    HIBP breach data provides plausible acquisition vectors, not proof of compromise. The user's email appeared in 10 HIBP breaches, including Operation Endgame (2024). This data supports the hypothesis that the attacker obtained credentials through a prior breach and used them to compromise the account. However, HIBP data alone does not prove when or how the compromise occurred. Lesson: use HIBP breach data to contextualize the compromise (e.g., 'credentials were exposed in a known breach'), but do not rely on it as the sole evidence of account compromise. Correlate with sign-in logs, mailbox access patterns, and inbox rule creation to establish a timeline and confirm the compromise occurred after the breach.