Exchange Rules
11 detection rules in this category.
| Rule | Severity | MITRE | Source |
|---|---|---|---|
| Anti-phishing policy changed | High | T1562.001 | AuditLog |
| Inbox rule with delete action | High | T1070.008 | AuditLog |
| Inbox rule with forwarding created | Critical | T1114.003 | AuditLog |
| Inbox rule with redirect created | Critical | T1114.003 | AuditLog |
| Journal rule created | Critical | T1114.003 | AuditLog |
| Mailbox forwarding enabled | Critical | T1114.003 | AuditLog |
| Mailbox full access granted | High | T1098.002 | AuditLog |
| Safe attachments policy changed | High | T1562.001 | AuditLog |
| Safe links policy changed | High | T1562.001 | AuditLog |
| Send-as permission added | High | T1098.002 | AuditLog |
| Transport rule with forwarding created | Critical | T1114.003 | AuditLog |
Anti-phishing policy changed
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1562.001 (Defense Evasion) |
Anti-phishing policy modified
Conditions
- Match: all
OperationEqualsSet-AntiPhishPolicy
Inbox rule with delete action
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1070.008 (Defense Evasion) |
Inbox rule deletes messages - possible evidence hiding
Conditions
- Match: all
OperationEqualsNew-InboxRuleParameters.DeleteMessageExists
Inbox rule with forwarding created
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1114.003 (Collection) |
Inbox rule forwards mail externally - BEC indicator
Conditions
- Match: all
OperationEqualsNew-InboxRuleParameters.ForwardToExists
Inbox rule with redirect created
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1114.003 (Collection) |
Inbox rule redirects mail - BEC indicator
Conditions
- Match: all
OperationEqualsNew-InboxRuleParameters.RedirectToExists
Journal rule created
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1114.003 (Collection) |
Email journaling rule created - mail being copied externally
Conditions
- Match: all
OperationEqualsNew-JournalRule
Mailbox forwarding enabled
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1114.003 (Collection) |
External mail forwarding configured - BEC indicator
Conditions
- Match: all
OperationEqualsSet-MailboxParameters.ForwardingSmtpAddressExists
Mailbox full access granted
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.002 (Persistence) |
Full access permission granted to mailbox
Conditions
- Match: all
OperationEqualsAdd-MailboxPermissionParameters.AccessRightsContainsFullAccess
Safe attachments policy changed
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1562.001 (Defense Evasion) |
Safe Attachments policy modified
Conditions
- Match: all
OperationEqualsSet-SafeAttachmentPolicy
Safe links policy changed
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1562.001 (Defense Evasion) |
Safe Links policy modified
Conditions
- Match: all
OperationEqualsSet-SafeLinksPolicy
Send-as permission added
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.002 (Persistence) |
Send-as permission granted - can impersonate sender
Conditions
- Match: all
OperationEqualsAdd-RecipientPermissionParameters.AccessRightsContainsSendAs
Transport rule with forwarding created
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1114.003 (Collection) |
Mail flow rule created that forwards or copies mail externally
Conditions
- Match: all
OperationEqualsNew-TransportRuleundefinedundefined