Suspicious creation or modification of inbox rules through PowerShell (New-InboxRule, Set-InboxRule) to automatically delete, move, or hide emails. Defender perspective: unusual rule activity correlated with mailbox access and filtering patterns.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | WinEventLog:Security | EventCode=4104 |
| Application Log Content (DC0038) | m365:unified | New-InboxRule or Set-InboxRule events recorded in Exchange Online |
| Field | Description |
|---|---|
| SuspiciousKeywords | Keywords like 'phish', 'malware', 'suspicious' used in inbox rules to hide emails. |
| UserContext | Scope mailbox monitoring to high-value users such as executives or admins. |
Alterations to plist configuration files (RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, MessageRules.plist) that define email hiding or filtering rules. Defender perspective: unexpected changes in these files associated with Mail.app processes.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | Modifications to Mail.app plist files controlling message rules |
| Process Creation (DC0032) | macos:unifiedlog | Mail.app executing with parameters updating rules state |
| Field | Description |
|---|---|
| WatchedPlistFiles | Adjust to monitor only rule-related plist files relevant to the environment. |
Rule manipulation through local email clients (e.g., Evolution, Thunderbird) or server-side filtering scripts (e.g., sieve) creating conditions to move or discard emails with security-related keywords.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve calls modifying local mail filter configuration files |
| Application Log Content (DC0038) | ApplicationLog:MailServer | Unexpected additions of sieve rules or filtering directives |
| Field | Description |
|---|---|
| MailServerLogs | Customize based on mail server software (Postfix, Dovecot, Exim). |
Suspicious rule creation within Outlook or Exchange clients, including auto-move or delete conditions tied to incident or security alert keywords. Defender perspective: correlation between missing inbound emails and newly added mailbox rules.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Transport rule or inbox rule creation events |
| Field | Description |
|---|---|
| RuleScope | Decide whether to monitor individual mailbox rules, org-wide transport rules, or both. |