Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails

  1[metadata]
  2creation_date = "2025/05/22"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2025/05/22"
  6
  7[rule]
  8author = ["Elastic", "Jamie Lee"]
  9description = """
 10Identifies when a user creates a new inbox rule in Microsoft 365 that deletes or moves emails containing suspicious
 11keywords. Adversaries who have compromised accounts often create inbox rules to hide alerts, security notifications, or
 12other sensitive messages by automatically deleting them or moving them to obscure folders. Common destinations include
 13Deleted Items, Junk Email, RSS Feeds, and RSS Subscriptions. This is a New Terms rule that triggers only when the user
 14principal name and associated source IP address have not been observed performing this activity in the past 14 days.
 15"""
 16from = "now-9m"
 17index = ["filebeat-*", "logs-o365.audit-*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails"
 21note = """## Triage and Analysis
 22
 23### Investigating Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails
 24
 25This detection identifies the creation of potentially malicious inbox rules in Microsoft 365. These rules automatically delete or move emails with specific keywords such as "invoice", "payment", "security", or "phish". Adversaries often use these rules post-compromise to conceal warning emails, alerts from security tools, or responses from help desk teams, thereby evading detection and maintaining access.
 26
 27This is a new terms rule that alerts only when the combination of `user.id` and `source.ip` has not performed this activity in the last 14 days.
 28
 29### Possible investigation steps
 30
 31- Review the `user.id` and `user.email` fields to identify the user account that created the inbox rule.
 32- Confirm the rule creation action in `event.action` is `New-InboxRule` and that the `event.outcome` is `success`.
 33- Investigate the `o365.audit.Parameters.SubjectContainsWords` field for sensitive or suspicious keywords such as:
 34  - `invoice`, `payment`, `reset`, `phish`, `login`, `fraud`, `alert`, etc.
 35- Check if the rule performs any of the following:
 36  - `MoveToFolder`: suspicious folders like `RSS Feeds`, `Junk Email`, or `Deleted Items`.
 37  - `DeleteMessage`: if present, suggests the rule is meant to hide communications.
 38- Review the `source.ip` and `source.geo.*` fields to validate whether the IP address and location match expected user behavior.
 39- Examine whether the rule was created via a suspicious interface like Exchange Admin or through external automation.
 40- Check for recent sign-in anomalies, credential changes, or unusual mailbox activity for the user (e.g., email forwarding, MFA prompts).
 41
 42### False positive analysis
 43
 44- Some rules may be created by users for legitimate purposes (e.g., moving newsletters).
 45- Outlook plugins or automated email management tools could create rules that resemble this behavior.
 46- Newly onboarded employees might configure rules for personal filtering without malicious intent.
 47
 48### Response and remediation
 49
 50- If the rule is determined to be malicious:
 51  - Remove the inbox rule immediately.
 52  - Review the user’s mailbox for signs of data theft or additional manipulation (e.g., auto-forwarding, altered reply-to addresses).
 53  - Investigate surrounding activity such as MFA changes, token refreshes, or admin role assignments.
 54  - Revoke tokens and initiate a password reset for the compromised user.
 55- If broader compromise is suspected:
 56  - Review audit logs for other inbox rule creations across the tenant.
 57  - Check whether other users from the same source IP performed similar activity.
 58  - Educate the user on safe email handling and rule creation best practices.
 59- Strengthen detection:
 60  - Enable Microsoft Defender for Office 365 Safe Rules.
 61  - Use mailbox auditing and DLP policies to monitor hidden inbox activity.
 62
 63"""
 64references = [
 65    "https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack",
 66    "https://learn.microsoft.com/en-us/defender-xdr/alert-grading-playbook-inbox-manipulation-rules",
 67    "https://blog.barracuda.com/2023/09/20/threat-spotlight-attackers-inbox-rules-evade-detection",
 68]
 69risk_score = 47
 70rule_id = "40fe11c2-376e-11f0-9a82-f661ea17fbcd"
 71severity = "medium"
 72tags = [
 73    "Domain: Cloud",
 74    "Domain: SaaS",
 75    "Domain: Email",
 76    "Data Source: Microsoft 365",
 77    "Data Source: Microsoft 365 Audit Logs",
 78    "Use Case: Threat Detection",
 79    "Tactic: Defense Evasion",
 80    "Resources: Investigation Guide",
 81]
 82timestamp_override = "event.ingested"
 83type = "new_terms"
 84
 85query = '''
 86event.dataset: "o365.audit" and
 87    event.action: "New-InboxRule" and event.outcome: "success" and
 88    o365.audit.Parameters.SubjectContainsWords: (
 89        *phish* or
 90        *hack* or
 91        *alert* or
 92        *malware* or
 93        *security* or
 94        *invoice* or
 95        *payment* or
 96        *wire* or
 97        *transfer* or
 98        *fraud* or
 99        *reset* or
100        *unusual* or
101        *protection* or
102        *login* or
103        *suspicious*
104    ) and (
105    o365.audit.Parameters.DeleteMessage: True or
106    o365.audit.Parameters.MoveToFolder: (
107        *Deleted* or
108        *Junk* or
109        *RSS*
110    )
111)
112'''
113
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117[[rule.threat.technique]]
118id = "T1564"
119name = "Hide Artifacts"
120reference = "https://attack.mitre.org/techniques/T1564/"
121[[rule.threat.technique.subtechnique]]
122id = "T1564.008"
123name = "Email Hiding Rules"
124reference = "https://attack.mitre.org/techniques/T1564/008/"
125
126
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"
132
133[rule.new_terms]
134field = "new_terms_fields"
135value = ["user.id", "source.ip"]
136[[rule.new_terms.history_window_start]]
137field = "history_window_start"
138value = "now-14d"