ChatOps topics: Potential account compromise alerts

Use ChatOps to send your security team alerts about events that might indicate that an attacker has compromised one of your employee’s SaaS accounts.

Not sure what ChatOps is? Find out more here.

What kind of messages are sent?

If you have the “check suspicious mail rules” topic enabled, Push will message employees when a new mail rule is created. That message will ask them to confirm that they created the mail rule. If they confirm that they created the mail rule, great, nothing to worry about. See Check suspicious mail rules for more information about the employee topic.

If an employee indicates they didn't create the mail rule, it's a strong indicator that an attacker may have compromised their account and created a malicious mail rule, and you'll get an alert that looks like this:

ChatOps topics: Potential account compromise alerts - mailrule alert
An example ChatOps security channel alert when a suspicious mail rule is reported

See our blog post on how attackers use mail rules to access your inbox.

Which platforms are supported?

We support Google Workspace and Microsoft 365 for mail rule detection.

Note that Google workspace calls mail rules “mail filters,” but they are very similar. Unfortunately mail filters cannot be disabled, and so we take no automated action, as deleting the rule automatically would limit the ability to investigate the incident.

Can’t I just disable mail forwarding to mitigate risk?

You can, but we wouldn’t recommend it. Employees often have valid reasons and use cases for mail forwarding, so it might be frustrating for your coworkers. We’ve written a short article on this topic that’s worth reading if you’re considering disabling mail forwarding options: Should you disable external email auto-forwarding?

Any other questions?

If you’d like to know more about this chat topic, or ChatOps generally, feel free to contact us.