[Tuning] M365 Exchange Inbox Phishing Evasion Rule Created (#5648)

* Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml * Update defense_evasion_exchange_new_inbox_rule_delete_or_move.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2026-02-05 13:02:57 +00:00
parent 3cba3d7982
commit 00159a3eca
1 changed files with 10 additions and 5 deletions
@@ -2,10 +2,10 @@
 creation_date = "2025/05/22"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2026/01/29"

 [rule]
-author = ["Elastic", "Jamie Lee"]
+author = ["Elastic", "Jamie Lee", "Marco Pedrinazzi"]
 description = """
 Identifies when a user creates a new inbox rule in Microsoft 365 that deletes or moves emails containing suspicious
 keywords. Adversaries who have compromised accounts often create inbox rules to hide alerts, security notifications, or
@@ -84,8 +84,11 @@ type = "new_terms"

 query = '''
 event.dataset: "o365.audit" and
-    event.action: "New-InboxRule" and event.outcome: "success" and
-    o365.audit.Parameters.SubjectContainsWords: (
+    event.action: ("New-InboxRule" or "Set-InboxRule") and event.outcome: "success" and
+    (
+     o365.audit.Parameters.BodyContainsWords: "\u0000" or 
+     o365.audit.Parameters.WithinSizeRangeMinimum <= 1023 or 
+     o365.audit.Parameters.SubjectContainsWords: (
        *phish* or
        *hack* or
        *alert* or
@@ -101,12 +104,14 @@ event.dataset: "o365.audit" and
        *protection* or
        *login* or
        *suspicious*
+      )
    ) and (
    o365.audit.Parameters.DeleteMessage: True or
    o365.audit.Parameters.MoveToFolder: (
        *Deleted* or
        *Junk* or
-        *RSS*
+        *RSS* or 
+        *Calendar*
    )
 )
 '''