Microsoft 365 Exchange Anti-Phish Rule Modification
Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in
11features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining
12settings to better detect and prevent attacks.
13"""
14false_positives = [
15 """
16 An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was
17 expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Anti-Phish Rule Modification"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
30 "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps",
31]
32risk_score = 47
33rule_id = "97314185-2568-4561-ae81-f3e480e5e695"
34severity = "medium"
35tags = [
36 "Domain: Cloud",
37 "Data Source: Microsoft 365",
38 "Use Case: Configuration Audit",
39 "Tactic: Initial Access",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1566"
53name = "Phishing"
54reference = "https://attack.mitre.org/techniques/T1566/"
55
56
57[rule.threat.tactic]
58id = "TA0001"
59name = "Initial Access"
60reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 User Restricted from Sending Email
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification