Microsoft 365 Exchange Malware Filter Policy Deletion

Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert
11administrators that an internal user sent a message that contained malware. This may indicate an account or machine
12compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.
13"""
14false_positives = [
15    """
16    A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change
17    was expected. Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Malware Filter Policy Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Microsoft 365 Exchange Malware Filter Policy Deletion
31
32Microsoft 365 Exchange uses malware filter policies to detect and alert administrators about malware in emails, crucial for maintaining security. Adversaries may delete these policies to bypass detection, facilitating undetected malware distribution. The detection rule monitors audit logs for successful deletions of these policies, signaling potential defense evasion attempts.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.action "Remove-MalwareFilterPolicy" to identify the user account responsible for the deletion.
37- Investigate the event.outcome to confirm the success of the policy deletion and gather additional context from related logs.
38- Check the event.provider "Exchange" and event.category "web" to ensure the activity is consistent with expected administrative actions.
39- Assess the recent activity of the identified user account for any unusual behavior or signs of compromise, such as unexpected login locations or times.
40- Examine other security alerts or incidents involving the same user account or related systems to identify potential patterns or coordinated attacks.
41- Verify if there are any recent changes in permissions or roles for the user account that could explain the ability to delete the malware filter policy.
42- Coordinate with IT and security teams to determine if the deletion was authorized or if immediate remediation actions are necessary to restore security controls.
43
44### False positive analysis
45
46- Administrative maintenance activities may trigger the rule if administrators are legitimately updating or removing outdated malware filter policies. To manage this, maintain a log of scheduled maintenance activities and cross-reference with alerts to verify legitimacy.
47- Automated scripts or third-party tools used for policy management might inadvertently delete policies, leading to false positives. Ensure these tools are configured correctly and consider excluding their actions from the rule if they are verified as non-threatening.
48- Changes in organizational policy or security strategy might necessitate the removal of certain malware filter policies. Document these changes and create exceptions in the detection rule for these specific actions to prevent unnecessary alerts.
49- User error during policy management could result in accidental deletions. Implement additional verification steps or approval processes for policy deletions to reduce the likelihood of such errors triggering false positives.
50
51### Response and remediation
52
53- Immediately isolate the affected account or system to prevent further unauthorized actions or malware distribution.
54- Recreate the deleted malware filter policy to restore the email security posture and prevent further evasion attempts.
55- Conduct a thorough review of recent audit logs to identify any other suspicious activities or policy changes that may indicate a broader compromise.
56- Reset passwords and enforce multi-factor authentication for the affected account to secure access and prevent further unauthorized actions.
57- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation if further investigation reveals a larger threat.
58- Implement additional monitoring on the affected account and related systems to detect any further suspicious activities or attempts to bypass security measures.
59- Review and update security policies and configurations to ensure they are robust against similar evasion tactics in the future.
60
61## Setup
62
63The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps",
66]
67risk_score = 47
68rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb"
69severity = "medium"
70tags = [
71    "Domain: Cloud",
72    "Data Source: Microsoft 365",
73    "Use Case: Configuration Audit",
74    "Tactic: Defense Evasion",
75    "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1562"
89name = "Impair Defenses"
90reference = "https://attack.mitre.org/techniques/T1562/"
91
92
93[rule.threat.tactic]
94id = "TA0005"
95name = "Defense Evasion"
96reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Microsoft 365 Exchange Malware Filter Policy Deletion

Microsoft 365 Exchange uses malware filter policies to detect and alert administrators about malware in emails, crucial for maintaining security. Adversaries may delete these policies to bypass detection, facilitating undetected malware distribution. The detection rule monitors audit logs for successful deletions of these policies, signaling potential defense evasion attempts.

Possible investigation steps

  • Review the audit logs for the specific event.action "Remove-MalwareFilterPolicy" to identify the user account responsible for the deletion.
  • Investigate the event.outcome to confirm the success of the policy deletion and gather additional context from related logs.
  • Check the event.provider "Exchange" and event.category "web" to ensure the activity is consistent with expected administrative actions.
  • Assess the recent activity of the identified user account for any unusual behavior or signs of compromise, such as unexpected login locations or times.
  • Examine other security alerts or incidents involving the same user account or related systems to identify potential patterns or coordinated attacks.
  • Verify if there are any recent changes in permissions or roles for the user account that could explain the ability to delete the malware filter policy.
  • Coordinate with IT and security teams to determine if the deletion was authorized or if immediate remediation actions are necessary to restore security controls.

False positive analysis

  • Administrative maintenance activities may trigger the rule if administrators are legitimately updating or removing outdated malware filter policies. To manage this, maintain a log of scheduled maintenance activities and cross-reference with alerts to verify legitimacy.
  • Automated scripts or third-party tools used for policy management might inadvertently delete policies, leading to false positives. Ensure these tools are configured correctly and consider excluding their actions from the rule if they are verified as non-threatening.
  • Changes in organizational policy or security strategy might necessitate the removal of certain malware filter policies. Document these changes and create exceptions in the detection rule for these specific actions to prevent unnecessary alerts.
  • User error during policy management could result in accidental deletions. Implement additional verification steps or approval processes for policy deletions to reduce the likelihood of such errors triggering false positives.

Response and remediation

  • Immediately isolate the affected account or system to prevent further unauthorized actions or malware distribution.
  • Recreate the deleted malware filter policy to restore the email security posture and prevent further evasion attempts.
  • Conduct a thorough review of recent audit logs to identify any other suspicious activities or policy changes that may indicate a broader compromise.
  • Reset passwords and enforce multi-factor authentication for the affected account to secure access and prevent further unauthorized actions.
  • Notify the security team and relevant stakeholders about the incident for awareness and potential escalation if further investigation reveals a larger threat.
  • Implement additional monitoring on the affected account and related systems to detect any further suspicious activities or attempts to bypass security measures.
  • Review and update security policies and configurations to ensure they are robust against similar evasion tactics in the future.

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top