Microsoft 365 Exchange Anti-Phish Policy Deletion
Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in
11features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining
12settings to better detect and prevent attacks.
13"""
14false_positives = [
15 """
16 An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change
17 was expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Anti-Phish Policy Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Microsoft 365 Exchange Anti-Phish Policy Deletion
31
32Microsoft 365's anti-phishing policies enhance security by fine-tuning detection settings to thwart phishing attacks. Adversaries may delete these policies to weaken defenses, facilitating unauthorized access. The detection rule monitors audit logs for successful deletions of anti-phishing policies, signaling potential malicious activity by identifying specific actions and outcomes associated with policy removal.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.action "Remove-AntiPhishPolicy" to identify the user account responsible for the deletion.
37- Check the event.outcome field to confirm the success of the policy deletion and gather additional context from related logs around the same timestamp.
38- Investigate the user account's recent activities in Microsoft 365 to identify any other suspicious actions or anomalies, such as unusual login locations or times.
39- Assess whether the user account has been compromised by checking for any unauthorized access attempts or changes in account settings.
40- Evaluate the impact of the deleted anti-phishing policy by reviewing the organization's current phishing protection measures and any recent phishing incidents.
41- Coordinate with the IT security team to determine if the policy deletion was authorized or part of a legitimate change management process.
42
43### False positive analysis
44
45- Routine administrative actions may trigger the rule if IT staff regularly update or remove outdated anti-phishing policies. To manage this, create exceptions for known administrative accounts performing these actions.
46- Scheduled policy reviews might involve the removal of policies as part of a legitimate update process. Document these schedules and exclude them from triggering alerts by setting time-based exceptions.
47- Automated scripts used for policy management can inadvertently cause false positives. Identify and whitelist these scripts to prevent unnecessary alerts.
48- Changes in organizational policy that require the removal of certain anti-phishing policies can be mistaken for malicious activity. Ensure that such changes are communicated and logged, and adjust the rule to recognize these legitimate actions.
49- Test environments where policies are frequently added and removed for validation purposes can generate false positives. Exclude these environments from the rule to avoid confusion.
50
51### Response and remediation
52
53- Immediately isolate the affected user accounts and systems to prevent further unauthorized access or data exfiltration.
54- Recreate the deleted anti-phishing policy using the latest security guidelines and ensure it is applied across all relevant user groups.
55- Conduct a thorough review of recent email activity and logs for the affected accounts to identify any phishing emails that may have bypassed security measures.
56- Reset passwords for affected accounts and enforce multi-factor authentication (MFA) to enhance account security.
57- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
58- Escalate the incident to the incident response team if there is evidence of broader compromise or if sensitive data has been accessed.
59- Implement enhanced monitoring and alerting for similar actions in the future to quickly detect and respond to any further attempts to delete security policies.
60
61## Setup
62
63The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
66 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
67]
68risk_score = 47
69rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa"
70severity = "medium"
71tags = [
72 "Domain: Cloud",
73 "Data Source: Microsoft 365",
74 "Use Case: Configuration Audit",
75 "Tactic: Initial Access",
76 "Resources: Investigation Guide",
77]
78timestamp_override = "event.ingested"
79type = "query"
80
81query = '''
82event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success
83'''
84
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1566"
90name = "Phishing"
91reference = "https://attack.mitre.org/techniques/T1566/"
92
93
94[rule.threat.tactic]
95id = "TA0001"
96name = "Initial Access"
97reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Microsoft 365 Exchange Anti-Phish Policy Deletion
Microsoft 365's anti-phishing policies enhance security by fine-tuning detection settings to thwart phishing attacks. Adversaries may delete these policies to weaken defenses, facilitating unauthorized access. The detection rule monitors audit logs for successful deletions of anti-phishing policies, signaling potential malicious activity by identifying specific actions and outcomes associated with policy removal.
Possible investigation steps
- Review the audit logs for the specific event.action "Remove-AntiPhishPolicy" to identify the user account responsible for the deletion.
- Check the event.outcome field to confirm the success of the policy deletion and gather additional context from related logs around the same timestamp.
- Investigate the user account's recent activities in Microsoft 365 to identify any other suspicious actions or anomalies, such as unusual login locations or times.
- Assess whether the user account has been compromised by checking for any unauthorized access attempts or changes in account settings.
- Evaluate the impact of the deleted anti-phishing policy by reviewing the organization's current phishing protection measures and any recent phishing incidents.
- Coordinate with the IT security team to determine if the policy deletion was authorized or part of a legitimate change management process.
False positive analysis
- Routine administrative actions may trigger the rule if IT staff regularly update or remove outdated anti-phishing policies. To manage this, create exceptions for known administrative accounts performing these actions.
- Scheduled policy reviews might involve the removal of policies as part of a legitimate update process. Document these schedules and exclude them from triggering alerts by setting time-based exceptions.
- Automated scripts used for policy management can inadvertently cause false positives. Identify and whitelist these scripts to prevent unnecessary alerts.
- Changes in organizational policy that require the removal of certain anti-phishing policies can be mistaken for malicious activity. Ensure that such changes are communicated and logged, and adjust the rule to recognize these legitimate actions.
- Test environments where policies are frequently added and removed for validation purposes can generate false positives. Exclude these environments from the rule to avoid confusion.
Response and remediation
- Immediately isolate the affected user accounts and systems to prevent further unauthorized access or data exfiltration.
- Recreate the deleted anti-phishing policy using the latest security guidelines and ensure it is applied across all relevant user groups.
- Conduct a thorough review of recent email activity and logs for the affected accounts to identify any phishing emails that may have bypassed security measures.
- Reset passwords for affected accounts and enforce multi-factor authentication (MFA) to enhance account security.
- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
- Escalate the incident to the incident response team if there is evidence of broader compromise or if sensitive data has been accessed.
- Implement enhanced monitoring and alerting for similar actions in the future to quickly detect and respond to any further attempts to delete security policies.
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Impossible travel activity
- Microsoft 365 User Restricted from Sending Email
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Exchange DLP Policy Removed