Elastic Security Detection Rules

Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails

Last updated 14 days ago on 2025-05-22
Created 14 days ago on 2025-05-22

About

Identifies when a user creates a new inbox rule in Microsoft 365 that deletes or moves emails containing suspicious keywords. Adversaries who have compromised accounts often create inbox rules to hide alerts, security notifications, or other sensitive messages by automatically deleting them or moving them to obscure folders. Common destinations include Deleted Items, Junk Email, RSS Feeds, and RSS Subscriptions. This is a New Terms rule that triggers only when the user principal name and associated source IP address have not been observed performing this activity in the past 14 days.
Tags
Domain: CloudDomain: SaaSDomain: EmailData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Threat DetectionTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Hide Artifacts (T1564)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-o365.audit-*
Related Integrations

o365(opens in a new tab or window)

Query
event.dataset: "o365.audit" and
    event.action: "New-InboxRule" and event.outcome: "success" and
    o365.audit.Parameters.SubjectContainsWords: (
        *phish* or
        *hack* or
        *alert* or
        *malware* or
        *security* or
        *invoice* or
        *payment* or
        *wire* or
        *transfer* or
        *fraud* or
        *reset* or
        *unusual* or
        *protection* or
        *login* or
        *suspicious*
    ) and (
    o365.audit.Parameters.DeleteMessage: True or
    o365.audit.Parameters.MoveToFolder: (
        *Deleted* or
        *Junk* or
        *RSS*
    )
)

Install detection rules in Elastic Security

Detect Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).