Microsoft 365 Exchange Anti-Phish Rule Modification
Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in
13features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining
14settings to better detect and prevent attacks.
15"""
16false_positives = [
17 """
18 An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was
19 expected. Exceptions can be added to this rule to filter expected behavior.
20 """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Microsoft 365 Exchange Anti-Phish Rule Modification"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = [
31 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
32 "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps",
33]
34risk_score = 47
35rule_id = "97314185-2568-4561-ae81-f3e480e5e695"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1566"
50name = "Phishing"
51reference = "https://attack.mitre.org/techniques/T1566/"
52
53
54[rule.threat.tactic]
55id = "TA0001"
56name = "Initial Access"
57reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 User Restricted from Sending Email
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Impossible travel activity
- Microsoft 365 Exchange DLP Policy Removed