Microsoft 365 Exchange Safe Attachment Rule Disabled
Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware
11protections to include routing all messages and attachments without a known malware signature to a special hypervisor
12environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.
13"""
14false_positives = [
15 """
16 A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change
17 was expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Safe Attachment Rule Disabled"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Microsoft 365 Exchange Safe Attachment Rule Disabled
31
32Microsoft 365's Safe Attachment feature enhances security by analyzing email attachments in a secure environment to detect unknown malware. Disabling this rule can expose organizations to threats by allowing potentially harmful attachments to bypass scrutiny. Adversaries may exploit this to exfiltrate data or avoid detection. The detection rule monitors audit logs for successful attempts to disable this feature, signaling potential defense evasion activities.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.action "Disable-SafeAttachmentRule" to identify the user or account responsible for the action.
37- Check the event.outcome field to confirm the success of the rule being disabled and gather additional context from related logs around the same timestamp.
38- Investigate the event.provider "Exchange" to determine if there are any other recent suspicious activities or changes made by the same user or account.
39- Assess the event.category "web" to understand if there were any web-based interactions or anomalies that coincide with the disabling of the safe attachment rule.
40- Evaluate the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
41- Cross-reference the identified user or account with known insider threat indicators or previous security incidents to assess the likelihood of malicious intent.
42
43### False positive analysis
44
45- Routine administrative changes can trigger alerts when IT staff disable Safe Attachment rules for legitimate reasons, such as testing or maintenance. To manage this, create exceptions for known administrative accounts or scheduled maintenance windows.
46- Automated scripts or third-party tools used for email management might disable Safe Attachment rules as part of their operations. Identify these tools and exclude their actions from triggering alerts by whitelisting their associated accounts or IP addresses.
47- Changes in organizational policy or security configurations might necessitate temporary disabling of Safe Attachment rules. Document these policy changes and adjust the monitoring rules to account for these temporary exceptions.
48- Training or onboarding sessions for new IT staff might involve disabling Safe Attachment rules as part of learning exercises. Ensure these activities are logged and excluded from alerts by setting up temporary exceptions for training periods.
49
50### Response and remediation
51
52- Immediately re-enable the Safe Attachment Rule in Microsoft 365 to restore the security posture and prevent further exposure to potentially harmful attachments.
53- Conduct a thorough review of recent email logs and quarantine any suspicious attachments that were delivered during the period the rule was disabled.
54- Isolate any systems or accounts that interacted with suspicious attachments to prevent potential malware spread or data exfiltration.
55- Escalate the incident to the security operations team for further investigation and to determine if there was any unauthorized access or data compromise.
56- Implement additional monitoring on the affected accounts and systems to detect any signs of ongoing or further malicious activity.
57- Review and update access controls and permissions to ensure that only authorized personnel can modify security rules and configurations.
58- Conduct a post-incident analysis to identify the root cause and implement measures to prevent similar incidents, such as enhancing alerting mechanisms for critical security rule changes.
59
60## Setup
61
62The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = [
64 "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps",
65]
66risk_score = 21
67rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b"
68severity = "low"
69tags = [
70 "Domain: Cloud",
71 "Data Source: Microsoft 365",
72 "Use Case: Configuration Audit",
73 "Tactic: Defense Evasion",
74 "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1562"
88name = "Impair Defenses"
89reference = "https://attack.mitre.org/techniques/T1562/"
90
91
92[rule.threat.tactic]
93id = "TA0005"
94name = "Defense Evasion"
95reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Microsoft 365 Exchange Safe Attachment Rule Disabled
Microsoft 365's Safe Attachment feature enhances security by analyzing email attachments in a secure environment to detect unknown malware. Disabling this rule can expose organizations to threats by allowing potentially harmful attachments to bypass scrutiny. Adversaries may exploit this to exfiltrate data or avoid detection. The detection rule monitors audit logs for successful attempts to disable this feature, signaling potential defense evasion activities.
Possible investigation steps
- Review the audit logs for the specific event.action "Disable-SafeAttachmentRule" to identify the user or account responsible for the action.
- Check the event.outcome field to confirm the success of the rule being disabled and gather additional context from related logs around the same timestamp.
- Investigate the event.provider "Exchange" to determine if there are any other recent suspicious activities or changes made by the same user or account.
- Assess the event.category "web" to understand if there were any web-based interactions or anomalies that coincide with the disabling of the safe attachment rule.
- Evaluate the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
- Cross-reference the identified user or account with known insider threat indicators or previous security incidents to assess the likelihood of malicious intent.
False positive analysis
- Routine administrative changes can trigger alerts when IT staff disable Safe Attachment rules for legitimate reasons, such as testing or maintenance. To manage this, create exceptions for known administrative accounts or scheduled maintenance windows.
- Automated scripts or third-party tools used for email management might disable Safe Attachment rules as part of their operations. Identify these tools and exclude their actions from triggering alerts by whitelisting their associated accounts or IP addresses.
- Changes in organizational policy or security configurations might necessitate temporary disabling of Safe Attachment rules. Document these policy changes and adjust the monitoring rules to account for these temporary exceptions.
- Training or onboarding sessions for new IT staff might involve disabling Safe Attachment rules as part of learning exercises. Ensure these activities are logged and excluded from alerts by setting up temporary exceptions for training periods.
Response and remediation
- Immediately re-enable the Safe Attachment Rule in Microsoft 365 to restore the security posture and prevent further exposure to potentially harmful attachments.
- Conduct a thorough review of recent email logs and quarantine any suspicious attachments that were delivered during the period the rule was disabled.
- Isolate any systems or accounts that interacted with suspicious attachments to prevent potential malware spread or data exfiltration.
- Escalate the incident to the security operations team for further investigation and to determine if there was any unauthorized access or data compromise.
- Implement additional monitoring on the affected accounts and systems to detect any signs of ongoing or further malicious activity.
- Review and update access controls and permissions to ensure that only authorized personnel can modify security rules and configurations.
- Conduct a post-incident analysis to identify the root cause and implement measures to prevent similar incidents, such as enhancing alerting mechanisms for critical security rule changes.
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification
- Azure Alert Suppression Rule Created or Modified
- Azure Automation Runbook Deleted