a safe attachment rule may be disabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1562
o365
elastic

Techniques

T1562

Sample rules

Microsoft 365 Exchange Safe Attachment Rule Disabled

source: elastic
technicques:
- T1562

Description

Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.

Detection logic

event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success