a malware filter rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1562
o365
elastic

Techniques

T1562

Sample rules

Microsoft 365 Exchange Malware Filter Rule Modification

source: elastic
technicques:
- T1562

Description

Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.

Detection logic

event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success