Microsoft 365 Exchange Anti-Phish Policy Deletion
Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in
13features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining
14settings to better detect and prevent attacks.
15"""
16false_positives = [
17 """
18 An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change
19 was expected. Exceptions can be added to this rule to filter expected behavior.
20 """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Microsoft 365 Exchange Anti-Phish Policy Deletion"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = [
31 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
32 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
33]
34risk_score = 47
35rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1566"
50name = "Phishing"
51reference = "https://attack.mitre.org/techniques/T1566/"
52
53
54[rule.threat.tactic]
55id = "TA0001"
56name = "Initial Access"
57reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
Admins can learn about the anti-phishing policies that are available in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
Read More
Related rules
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 User Restricted from Sending Email
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Impossible travel activity
- Microsoft 365 Exchange DLP Policy Removed