Microsoft 365 Exchange Anti-Phish Rule Modification

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in
11features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining
12settings to better detect and prevent attacks.
13"""
14false_positives = [
15    """
16    An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was
17    expected. Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Anti-Phish Rule Modification"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Microsoft 365 Exchange Anti-Phish Rule Modification
31
32Microsoft 365's anti-phishing rules are crucial for safeguarding users against phishing attacks by enhancing detection and prevention settings. Adversaries may attempt to modify or disable these rules to facilitate phishing campaigns, gaining unauthorized access. The detection rule monitors for successful modifications or disabling of anti-phishing rules, signaling potential malicious activity by tracking specific actions within the Exchange environment.
33
34### Possible investigation steps
35
36- Review the event logs for entries with event.dataset set to o365.audit and event.provider set to Exchange to confirm the context of the alert.
37- Check the event.action field for "Remove-AntiPhishRule" or "Disable-AntiPhishRule" to identify the specific action taken on the anti-phishing rule.
38- Verify the event.outcome field to ensure the action was successful, indicating a potential security concern.
39- Identify the user or account associated with the modification by examining the relevant user fields in the event log.
40- Investigate the user's recent activity and access patterns to determine if there are any other suspicious actions or anomalies.
41- Assess the impact of the rule modification by reviewing any subsequent phishing attempts or security incidents that may have occurred.
42- Consider reverting the changes to the anti-phishing rule and implementing additional security measures if unauthorized access is confirmed.
43
44### False positive analysis
45
46- Administrative changes: Legitimate administrative tasks may involve modifying or disabling anti-phishing rules for testing or configuration purposes. To manage this, create exceptions for known administrative accounts or scheduled maintenance windows.
47- Security audits: Regular security audits might require temporary adjustments to anti-phishing rules. Document these activities and exclude them from alerts by correlating with audit logs.
48- Third-party integrations: Some third-party security tools may interact with Microsoft 365 settings, triggering rule modifications. Identify these tools and exclude their actions from triggering alerts by using their specific identifiers.
49- Policy updates: Organizational policy changes might necessitate updates to anti-phishing rules. Ensure these changes are documented and exclude them from alerts by associating them with approved change management processes.
50
51### Response and remediation
52
53- Immediately isolate the affected user accounts to prevent further unauthorized access and potential spread of phishing attacks.
54- Revert any unauthorized changes to the anti-phishing rules by restoring them to their previous configurations using backup or documented settings.
55- Conduct a thorough review of recent email logs and user activity to identify any potential phishing emails that may have bypassed the modified rules and take steps to quarantine or delete them.
56- Notify the security team and relevant stakeholders about the incident, providing details of the rule modification and any identified phishing attempts.
57- Escalate the incident to the incident response team for further investigation and to determine if additional systems or data have been compromised.
58- Implement enhanced monitoring and alerting for any further attempts to modify anti-phishing rules, ensuring that similar activities are detected promptly.
59- Review and update access controls and permissions for administrative actions within Microsoft 365 to ensure that only authorized personnel can modify security settings.
60
61## Setup
62
63The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
66    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps",
67]
68risk_score = 47
69rule_id = "97314185-2568-4561-ae81-f3e480e5e695"
70severity = "medium"
71tags = [
72    "Domain: Cloud",
73    "Data Source: Microsoft 365",
74    "Use Case: Configuration Audit",
75    "Tactic: Initial Access",
76    "Resources: Investigation Guide",
77]
78timestamp_override = "event.ingested"
79type = "query"
80
81query = '''
82event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success
83'''
84
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1566"
90name = "Phishing"
91reference = "https://attack.mitre.org/techniques/T1566/"
92
93
94[rule.threat.tactic]
95id = "TA0001"
96name = "Initial Access"
97reference = "https://attack.mitre.org/tactics/TA0001/"