Stats
Actions
Tags
From cybersecurity-skills
Detects malicious email forwarding rules created by adversaries for persistence and BEC attacks. Provides threat hunting workflows and queries for EDR and SIEM platforms.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:detecting-email-forwarding-rules-attackThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for indicators of detecting email forwarding rules attack in the environment
| Concept | Description |
|---|---|
| T1114.003 | Email Forwarding Rule |
| T1114.002 | Remote Email Collection |
| T1098.002 | Additional Email Delegate Permissions |
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1114.003
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsDetects malicious email forwarding rules created by adversaries for persistence and BEC attacks. Provides threat hunting workflows and queries for EDR and SIEM platforms.
Detects malicious email forwarding rules adversaries use for persistent email access in intelligence collection and BEC attacks. Useful for threat hunting in EDR and SIEM.
Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.