Back to Intelligence

Onsite Women's Health $2.5M Settlement: Defending Against Email Account Compromise

SA
Security Arsenal Team
June 4, 2026
5 min read

Onsite Women’s Health recently agreed to a $2.5M settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) following a breach involving a single employee email account. This incident, which exposed the Protected Health Information (PHI) of over 37,000 individuals, underscores a critical reality for healthcare defenders: a single compromised mailbox can result in multi-million dollar regulatory penalties and irreparable reputational damage.

As we navigate 2026, threat actors continue to target healthcare entities via Business Email Compromise (BEC) and phishing to access high-value data. Defenders must move beyond basic awareness and implement technical controls that detect the initial access and post-compromise activity within email environments.

Technical Analysis

While the specific technical details of the Onsite Women’s Health intrusion were not fully disclosed in the settlement summary, the attack vector—compromised employee email credentials—aligns with the most prevalent threats in the healthcare sector today.

  • Affected Platforms: Cloud-based email services (Microsoft 365, Google Workspace).
  • Attack Vector: Credential theft (likely via phishing or credential stuffing) or session hijacking.
  • Attack Chain:
    1. Initial Access: Actor obtains legitimate credentials for a corporate email account.
    2. Persistence: Actor may create Inbox Rules to delete security alerts or forward sensitive mail to external accounts to maintain access and hide activity.
    3. Exfiltration: Actor utilizes PowerShell or native web interfaces to export mailboxes (PST exports) or manually scrape sensitive PHI.
    4. Lateral Movement: In some cases, the email account is used to reset credentials for other systems or to conduct internal phishing.
  • Exploitation Status: Confirmed active exploitation leading to a breach and settlement.

Detection & Response

Defenders must assume that perimeter controls will eventually fail. Detection of email account compromise relies on identifying anomalous behavior after authentication. The following rules and queries are designed to catch the "hands-on-keyboard" activities associated with mailbox manipulation and data exfiltration.

SIGMA Rules

YAML
---
title: O365 Suspicious Inbox Rule Creation
id: 8a4b2c1d-9e3f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects the creation of inbox rules that forward emails to external recipients, a common BEC tactic.
references:
  - https://attack.mitre.org/techniques/T1114/003
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.collection
  - attack.t1114.003
logsource:
  product: o365
  service: exchange
detection:
  selection:
    Operation|contains:
      - 'New-InboxRule'
      - 'Set-InboxRule'
    Parameters|contains:
      - 'ForwardTo'
      - 'RedirectTo'
      - 'CopyToFolder'
  filter:
    Parameters|contains:
      - '@contoso.com' # Replace with internal domain to exclude internal forwards
falsepositives:
  - Legitimate user mail forwarding rules
level: high
---
title: PowerShell Exchange Online Mailbox Export
id: 9b5c3d2e-0f4a-5b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Detects PowerShell commands attempting to export mailbox contents, often used for bulk PHI exfiltration.
references:
  - https://attack.mitre.org/techniques/T1114/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:\    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'New-MailboxExportRequest'
      - 'Export-Mailbox'
      - 'Search-Mailbox'
  condition: selection
falsepositives:
  - Legitimate administrator migrations or eDiscovery exports
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for anomalous bulk access to mailbox items, which often precedes exfiltration.

KQL — Microsoft Sentinel / Defender
// Hunt for bulk MailItemsAccessed operations typical of scraping tools
OfficeActivity
| where TimeGenerated > ago(1d)
| where Operation in ("MailItemsAccessed", "SearchQueryStarted")
| extend Folder = tostring(Folder)
| where isnotempty(Folder)
| summarize Count = count() by UserId, Operation, ClientIPAddress, Folder
| where Count > 500 // Threshold tuning required based on org size
| project UserId, Operation, Count, ClientIPAddress, Folder, TimeGenerated
| order by Count desc

Velociraptor VQL

Hunt for PowerShell processes interacting with Exchange Online modules on the endpoint.

VQL — Velociraptor
-- Hunt for PowerShell processes loading Exchange Online modules
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
  AND CommandLine =~ "ExchangeOnlineManagement"
  OR CommandLine =~ "Connect-ExchangeOnline"

Remediation Script (PowerShell)

Use this script to audit current inbox rules for suspicious forwarding configurations.

PowerShell
# Audit Inbox Rules for External Forwarding
# Requires Exchange Online Managed Shell or appropriate module

Write-Host "Starting Inbox Rule Audit..."

# Connect to Exchange Online (Uncomment if running interactively)
# Connect-ExchangeOnline

$Mailboxes = Get-Mailbox -ResultSize Unlimited

foreach ($Mailbox in $Mailboxes) {
    $Rules = Get-InboxRule -Mailbox $Mailbox.Identity
    foreach ($Rule in $Rules) {
        if ($Rule.ForwardTo -or $Rule.RedirectTo -or $Rule.CopyToFolder) {
            [PSCustomObject]@{
                Mailbox        = $Mailbox.PrimarySmtpAddress
                RuleName       = $Rule.Name
                Enabled        = $Rule.Enabled
                ForwardTo      = $Rule.ForwardTo -join ";"
                RedirectTo     = $Rule.RedirectTo -join ";"
                Description    = "Potential Data Exfiltration Risk"
            }
        }
    }
}

Remediation

To prevent similar breaches and ensure HIPAA compliance:

  1. Enable Phishing-Resistant MFA: Enforce FIDO2 or Certificate-Based Authentication. Disallow legacy authentication protocols immediately.
  2. Conditional Access Policies: Implement policies that block access from anonymous IP addresses, impossible travel locations, or risky sign-ins. Require compliant devices for access to PHI.
  3. Mailbox Auditing: Ensure Unified Audit Logging is enabled. Set up alerts specifically for New-InboxRule and MailItemsAccessed operations.
  4. User Education: Conduct security awareness training focusing on identifying credential harvesting sites and reporting suspicious emails immediately.
  5. Least Privilege: Restrict the use of powerful PowerShell cmdlets (like New-MailboxExportRequest) to highly privileged admin accounts only.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcarebecemail-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action