Elastic Security Detection Rules

M365 Exchange Inbox Rule with Obfuscated Name

Last updated 3 days ago on 2026-05-27
Created 3 days ago on 2026-05-27

About

Identifies when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters. Adversaries may use obfuscated inbox rule names to evade detection, hide malicious forwarding or deletion rules, or blend in with benign audit noise. The rule name is parsed from "o365.audit.ObjectId", which encodes the mailbox identity and rule name separated by a backslash.
Tags
Domain: CloudDomain: SaaSDomain: EmailData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Threat DetectionTactic: Defense EvasionLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Hide Artifacts (T1564)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

Office Application Startup (T1137)(external, opens in a new tab or window)

False Positive Examples
Rare legitimate automation or third-party tools may create inbox rules with non-alphanumeric names. Validate against known messaging workflows and approved admin scripts before escalating.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

o365(external, opens in a new tab or window)

Query
text code block:
from logs-o365.audit-* metadata _id, _version, _index
| where
    data_stream.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("New-InboxRule", "Set-InboxRule") and
    event.outcome == "success" and
    o365.audit.ObjectId is not null
| grok o365.audit.ObjectId """.*\\\\(?<Esql.inbox_rule_name>.*)$"""
// only special chars in inbox rule name
| where Esql.inbox_rule_name rlike """[!@#$%^&*()_+={[\]|\\:;"'<,>.?/~` \-]+"""
| keep
    @timestamp,
    _id,
    _version,
    _index,
    Esql.inbox_rule_name,
    o365.audit.ObjectId,
    o365.audit.UserId,
    o365.audit.ApplicationId,
    user.name,
    user.domain,
    event.action,
    source.ip,
    source.as.number,
    source.as.organization.name,
    o365.audit.Parameters.ForwardTo,
    o365.audit.Parameters.ForwardAsAttachmentTo,
    o365.audit.Parameters.RedirectTo

Install detection rules in Elastic Security

Detect M365 Exchange Inbox Rule with Obfuscated Name in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).