Exchange Rules

14 detection rules in this category.

Rule	Severity	MITRE	Source
Anti-malware policy changed	High	T1562.001	AuditLog
Anti-malware policy disabled	High	T1562.001	AuditLog
Anti-malware policy removed	High	T1562.001	AuditLog
Anti-phishing policy changed	High	T1562.001	AuditLog
Anti-phishing policy disabled	High	T1562.001	AuditLog
Anti-phishing policy removed	High	T1562.001	AuditLog
Inbox rule with delete action	High	T1070.008	AuditLog
Inbox rule with forwarding created	High	T1114.003	AuditLog
Inbox rule with redirect created	High	T1114.003	AuditLog
Journal rule created	Critical	T1114.003	AuditLog
Mailbox forwarding enabled	High	T1114.003	AuditLog
Mailbox full access granted	High	T1098.002	AuditLog
Send-as permission added	High	T1098.002	AuditLog
Transport rule created	Medium	—	AuditLog

Anti-malware policy changed

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} modified an anti-malware policy

Conditions

Match: all
Operation Equals Set-MalwareFilterPolicy

Anti-malware policy disabled

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} disabled an anti-malware policy

Conditions

Match: all
Operation Equals Disable-MalwareFilterRule

Anti-malware policy removed

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} removed an anti-malware policy

Conditions

Match: all
Operation Equals Remove-MalwareFilterRule

Anti-phishing policy changed

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} modified an anti-phishing policy

Conditions

Match: all
Operation Equals Set-AntiPhishPolicy

Anti-phishing policy disabled

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} disabled an anti-phishing policy

Conditions

Match: all
Operation Equals Disable-AntiPhishRule

Anti-phishing policy removed

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} removed an anti-phishing policy

Conditions

Match: all
Operation Equals Remove-AntiPhishRule

Inbox rule with delete action

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1070.008 (Defense Evasion)

{⁠{UserId}⁠} created a new email rule with delete action - possible evidence hiding

Conditions

Match: all
Operation Equals New-InboxRule
Parameters Contains DeleteMessage

Inbox rule with forwarding created

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1114.003 (Collection)

{⁠{UserId}⁠} created a new email forwarding rule

Conditions

Match: all
Operation Equals New-InboxRule
Parameters Contains ForwardTo

Inbox rule with redirect created

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1114.003 (Collection)

{⁠{UserId}⁠} created a new email redirect rule

Conditions

Match: all
Operation Equals New-InboxRule
Parameters Contains RedirectTo

Journal rule created

Property	Value
Severity	🔴 Critical
Source	AuditLog
MITRE	T1114.003 (Collection)

Email journaling rule created - mail being copied externally

Conditions

Match: all
Operation Equals New-JournalRule

Mailbox forwarding enabled

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1114.003 (Collection)

{⁠{UserId}⁠} enabled mailbox forwarding - BEC indicator

Conditions

Match: all
Operation Equals Set-Mailbox
Parameters Contains ForwardingAddress
Parameters Contains ForwardingSmtpAddress

Mailbox full access granted

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1098.002 (Persistence)

{⁠{UserId}⁠} added full access permission to mailbox

Conditions

Match: all
Operation Equals Add-MailboxPermission
Parameters Contains FullAccess

Send-as permission added

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1098.002 (Persistence)

{⁠{UserId}⁠} added send-as permission - can impersonate sender

Conditions

Match: all
Operation Equals Add-RecipientPermission
Parameters Contains SendAs

Transport rule created

Property	Value
Severity	🟡 Medium
Source	AuditLog

{⁠{UserId}⁠} created a new Exchange transport rule

Conditions

Match: all
Operation Equals New-TransportRule

Exchange Rules ​

Anti-malware policy changed ​

Anti-malware policy disabled ​

Anti-malware policy removed ​

Anti-phishing policy changed ​

Anti-phishing policy disabled ​

Anti-phishing policy removed ​

Inbox rule with delete action ​

Inbox rule with forwarding created ​

Inbox rule with redirect created ​

Journal rule created ​

Mailbox forwarding enabled ​

Mailbox full access granted ​

Send-as permission added ​

Transport rule created ​

Exchange Rules

Anti-malware policy changed

Anti-malware policy disabled

Anti-malware policy removed

Anti-phishing policy changed

Anti-phishing policy disabled

Anti-phishing policy removed

Inbox rule with delete action

Inbox rule with forwarding created

Inbox rule with redirect created

Journal rule created

Mailbox forwarding enabled

Mailbox full access granted

Send-as permission added

Transport rule created