M365 Suspicious Mailbox Rule Creation

View all detections
M365 Suspicious Mailbox Rule Creation


  • An account was observed creating suspicious mailbox rules in Exchange that allow an attacker to manipulate, hide, or delete incoming emails.

Possible Root Causes

  • An attacker with control of an account created mailbox rules that hide or manipulate emails to either evade notice by the mailbox owner or impact business processes.
  • A user created a benign but broad or abnormal inbox rule as part of normal business email management.

Business Impact

  • Instances of malicious mailbox rules may indicate an adversary has control of an internal mailbox and can access the users email data and send emails internally and externally on behalf of the user.
  • A successful attack can result in immediate data theft or reputation loss from the compromised account.
  • A successful attack can result in additional business impact through targeted phishing from the internal account, as they are often trusted and subsequent to less strict security controls relative to external accounts.

Steps to Verify

  • Investigate the account that performed the action for other indications of malicious activity
  • If review indicates possible malicious actions, revert configuration and disable credentials associated with this alert, then perform a comprehensive investigation.