LoFP / actual mailbox rules that are moving items based on their workflow.

Techniques

• t1140

Sample rules

Suspicious Inbox Manipulation Rules

• source: sigma
• technicques:
  • t1140

Description

Detects suspicious rules that delete or move messages or folders are set on a user’s inbox.

Detection logic

condition: selection
selection:
  riskEventType: mcasSuspiciousInboxManipulationRules