rare legitimate automation or third-party tools may create inbox rules with non-alphanumeric names. validate against known messaging workflows and approved admin scripts before escalating.

Techniques

Sample rules

M365 Exchange Inbox Rule with Obfuscated Name

source: elastic
technicques:
- T1137
- T1564

Description

Identifies when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters. Adversaries may use obfuscated inbox rule names to evade detection, hide malicious forwarding or deletion rules, or blend in with benign audit noise. The rule name is parsed from “o365.audit.ObjectId”, which encodes the mailbox identity and rule name separated by a backslash.

Detection logic

from logs-o365.audit-* metadata _id, _version, _index
| where
    data_stream.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("New-InboxRule", "Set-InboxRule") and
    event.outcome == "success" and
    o365.audit.ObjectId is not null
| grok o365.audit.ObjectId """.*\\\\(?<Esql.inbox_rule_name>.*)$"""
// only special chars in inbox rule name
| where Esql.inbox_rule_name rlike """[!@#$%^&*()_+={[\]|\\:;"'<,>.?/~` \-]+"""
| keep
    @timestamp,
    _id,
    _version,
    _index,
    Esql.inbox_rule_name,
    o365.audit.ObjectId,
    o365.audit.UserId,
    o365.audit.ApplicationId,
    user.name,
    user.domain,
    event.action,
    source.ip,
    source.as.number,
    source.as.organization.name,
    o365.audit.Parameters.ForwardTo,
    o365.audit.Parameters.ForwardAsAttachmentTo,
    o365.audit.Parameters.RedirectTo