Microsoft 365 Exchange Anti-Phish Policy Deletion
Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in
13features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining
14settings to better detect and prevent attacks.
15"""
16false_positives = [
17 """
18 An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change
19 was expected. Exceptions can be added to this rule to filter expected behavior.
20 """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Microsoft 365 Exchange Anti-Phish Policy Deletion"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = [
31 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
32 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
33]
34risk_score = 47
35rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1566"
50name = "Phishing"
51reference = "https://attack.mitre.org/techniques/T1566/"
52
53
54[rule.threat.tactic]
55id = "TA0001"
56name = "Initial Access"
57reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 User Restricted from Sending Email
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Impossible travel activity
- Microsoft 365 Exchange DLP Policy Removed