M365 Exchange Inbox Rule with Obfuscated Name

  1[metadata]
  2creation_date = "2026/05/27"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/05/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters.
 11Adversaries may use obfuscated inbox rule names to evade detection, hide malicious forwarding or deletion rules, or blend
 12in with benign audit noise. The rule name is parsed from "o365.audit.ObjectId", which encodes the mailbox identity and
 13rule name separated by a backslash.
 14"""
 15false_positives = [
 16    """
 17    Rare legitimate automation or third-party tools may create inbox rules with non-alphanumeric names. Validate against
 18    known messaging workflows and approved admin scripts before escalating.
 19    """,
 20]
 21from = "now-9m"
 22language = "esql"
 23license = "Elastic License v2"
 24name = "M365 Exchange Inbox Rule with Obfuscated Name"
 25note = """## Triage and analysis
 26
 27### Investigating M365 Exchange Inbox Rule with Obfuscated Name
 28
 29This rule flags `New-InboxRule` and `Set-InboxRule` activity where the inbox rule name extracted from
 30`o365.audit.ObjectId` contains only special characters. Attackers use these names to make malicious rules harder to spot
 31in the Microsoft 365 compliance portal and security tooling.
 32
 33Because this rule uses ESQL `grok` and `keep`, review the original `o365.audit` documents for full rule parameters
 34(`o365.audit.Parameters.*`) such as forwarding, deletion, or move actions.
 35
 36### Possible investigation steps
 37
 38- Review `Esql.inbox_rule_name` and `o365.audit.ObjectId` to confirm the parsed rule identity and mailbox path.
 39- Identify the actor using `o365.audit.UserId` and correlate with Entra ID sign-in logs for the same `source.ip`.
 40- Inspect `event.action` to determine whether the rule was newly created or modified.
 41- Review kept forwarding and redirect parameters (`ForwardTo`, `ForwardAsAttachmentTo`, `ForwardingAddress`,
 42   `RedirectTo`, `RedirectToRecipients`) for external destinations outside `user.domain`.
 43- Pull the source event and review `o365.audit.Parameters` for `DeleteMessage`, `MoveToFolder`, or
 44  `SubjectContainsWords` that indicate evasion or exfiltration intent.
 45- Hunt for other inbox rules from the same user or IP with standard or obfuscated names.
 46
 47### False positive analysis
 48
 49- Internal scripts that programmatically name rules with symbols may match. Document approved senders and exclude if
 50  necessary.
 51- Broken or partial `ObjectId` values can affect grok extraction; verify the parsed name in the raw audit record.
 52
 53### Response and remediation
 54
 55- Remove the inbox rule from the affected mailbox if unauthorized.
 56- Reset credentials and revoke sessions for the user if compromise is suspected.
 57- Review the tenant for additional malicious inbox or transport rules from the same source IP.
 58"""
 59references = ["https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/"]
 60risk_score = 47
 61rule_id = "1c3d9346-4591-4894-935c-dad2824850f2"
 62severity = "medium"
 63tags = [
 64    "Domain: Cloud",
 65    "Domain: SaaS",
 66    "Domain: Email",
 67    "Data Source: Microsoft 365",
 68    "Data Source: Microsoft 365 Audit Logs",
 69    "Use Case: Threat Detection",
 70    "Tactic: Defense Evasion",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "esql"
 75
 76query = '''
 77from logs-o365.audit-* metadata _id, _version, _index
 78| where
 79    data_stream.dataset == "o365.audit" and
 80    event.provider == "Exchange" and
 81    event.action in ("New-InboxRule", "Set-InboxRule") and
 82    event.outcome == "success" and
 83    o365.audit.ObjectId is not null
 84| grok o365.audit.ObjectId """.*\\\\(?<Esql.inbox_rule_name>.*)$"""
 85// only special chars in inbox rule name
 86| where Esql.inbox_rule_name rlike """[!@#$%^&*()_+={[\]|\\:;"'<,>.?/~` \-]+"""
 87| keep
 88    @timestamp,
 89    _id,
 90    _version,
 91    _index,
 92    Esql.inbox_rule_name,
 93    o365.audit.ObjectId,
 94    o365.audit.UserId,
 95    o365.audit.ApplicationId,
 96    user.name,
 97    user.domain,
 98    event.action,
 99    source.ip,
100    source.as.number,
101    source.as.organization.name,
102    o365.audit.Parameters.ForwardTo,
103    o365.audit.Parameters.ForwardAsAttachmentTo,
104    o365.audit.Parameters.RedirectTo
105'''
106
107[rule.investigation_fields]
108field_names = [
109    "@timestamp",
110    "Esql.inbox_rule_name",
111    "o365.audit.ObjectId",
112    "o365.audit.UserId",
113    "user.name",
114    "user.domain",
115    "event.action",
116    "source.ip",
117    "source.as.organization.name",
118    "o365.audit.Parameters.ForwardTo",
119    "o365.audit.Parameters.ForwardAsAttachmentTo",
120    "o365.audit.Parameters.RedirectTo"
121]
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125
126[[rule.threat.technique]]
127id = "T1564"
128name = "Hide Artifacts"
129reference = "https://attack.mitre.org/techniques/T1564/"
130
131[[rule.threat.technique.subtechnique]]
132id = "T1564.008"
133name = "Email Hiding Rules"
134reference = "https://attack.mitre.org/techniques/T1564/008/"
135
136[rule.threat.tactic]
137id = "TA0005"
138name = "Defense Evasion"
139reference = "https://attack.mitre.org/tactics/TA0005/"
140
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143
144[[rule.threat.technique]]
145id = "T1137"
146name = "Office Application Startup"
147reference = "https://attack.mitre.org/techniques/T1137/"
148
149[[rule.threat.technique.subtechnique]]
150id = "T1137.005"
151name = "Outlook Rules"
152reference = "https://attack.mitre.org/techniques/T1137/005/"
153
154[rule.threat.tactic]
155id = "TA0003"
156name = "Persistence"
157reference = "https://attack.mitre.org/tactics/TA0003/"