Microsoft 365 Exchange Anti-Phish Policy Deletion
Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in
11features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining
12settings to better detect and prevent attacks.
13"""
14false_positives = [
15 """
16 An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change
17 was expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Anti-Phish Policy Deletion"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
30 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
31]
32risk_score = 47
33rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa"
34severity = "medium"
35tags = [
36 "Domain: Cloud",
37 "Data Source: Microsoft 365",
38 "Use Case: Configuration Audit",
39 "Tactic: Initial Access",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1566"
53name = "Phishing"
54reference = "https://attack.mitre.org/techniques/T1566/"
55
56
57[rule.threat.tactic]
58id = "TA0001"
59name = "Initial Access"
60reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
Admins can learn about the anti-phishing policies that are available in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
Read More
Related rules
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 User Restricted from Sending Email
- Microsoft 365 Impossible travel activity
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion