Loading

M365 Exchange Inbox Rule with Obfuscated Name

Identifies when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters. Adversaries may use obfuscated inbox rule names to evade detection, hide malicious forwarding or deletion rules, or blend in with benign audit noise. The rule name is parsed from "o365.audit.ObjectId", which encodes the mailbox identity and rule name separated by a backslash.

Rule type: esql
Rule indices:

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Domain: Email
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule flags New-InboxRule and Set-InboxRule activity where the inbox rule name extracted from o365.audit.ObjectId contains only special characters. Attackers use these names to make malicious rules harder to spot in the Microsoft 365 compliance portal and security tooling.

Because this rule uses ESQL grok and keep, review the original o365.audit documents for full rule parameters (o365.audit.Parameters.*) such as forwarding, deletion, or move actions.

  • Review Esql.inbox_rule_name and o365.audit.ObjectId to confirm the parsed rule identity and mailbox path.
  • Identify the actor using o365.audit.UserId and correlate with Entra ID sign-in logs for the same source.ip.
  • Inspect event.action to determine whether the rule was newly created or modified.
  • Review kept forwarding and redirect parameters (ForwardTo, ForwardAsAttachmentTo, ForwardingAddress, RedirectTo, RedirectToRecipients) for external destinations outside user.domain.
  • Pull the source event and review o365.audit.Parameters for DeleteMessage, MoveToFolder, or SubjectContainsWords that indicate evasion or exfiltration intent.
  • Hunt for other inbox rules from the same user or IP with standard or obfuscated names.
  • Internal scripts that programmatically name rules with symbols may match. Document approved senders and exclude if necessary.
  • Broken or partial ObjectId values can affect grok extraction; verify the parsed name in the raw audit record.
  • Remove the inbox rule from the affected mailbox if unauthorized.
  • Reset credentials and revoke sessions for the user if compromise is suspected.
  • Review the tenant for additional malicious inbox or transport rules from the same source IP.
from logs-o365.audit-* metadata _id, _version, _index
| where
    data_stream.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("New-InboxRule", "Set-InboxRule") and
    event.outcome == "success" and
    o365.audit.ObjectId is not null
| grok o365.audit.ObjectId """.*\\\\(?<Esql.inbox_rule_name>.*)$"""
// only special chars in inbox rule name
| where Esql.inbox_rule_name rlike """[!@#$%^&*()_+={[\]|\\:;"'<,>.?/~` \-]+"""
| keep
    @timestamp,
    _id,
    _version,
    _index,
    Esql.inbox_rule_name,
    o365.audit.ObjectId,
    o365.audit.UserId,
    o365.audit.ApplicationId,
    user.name,
    user.domain,
    event.action,
    source.ip,
    source.as.number,
    source.as.organization.name,
    o365.audit.Parameters.ForwardTo,
    o365.audit.Parameters.ForwardAsAttachmentTo,
    o365.audit.Parameters.RedirectTo

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK