Exchange mailbox activities (per-item) M365-ExchangeItem

8 operations, identified by Operation in the audit log.

Operation	Description
_catch_all	Catch-all for M365-ExchangeItem rules matching the RecordType but no specific Operation.
Add-MailboxFolderPermission	A permission entry was added to a mailbox folder (UAL operation AddFolderPermissions), granting a delegate access to a specific folder.
Add-MailboxPermission	FullAccess (delegate) mailbox permission was granted, allowing another user to access the mailbox; logged as a mailbox activity even when an admin performs it.
HardDelete	A mailbox item was permanently deleted (hard-deleted) and is not recoverable from the Deleted Items folder.
MoveToDeletedItems	A mailbox item was moved to the Deleted Items folder.
New-InboxRule	A mailbox owner or delegate created an inbox rule in Outlook web app, commonly abused for auto-forwarding or deletion of evidence.
Set-InboxRule	A mailbox owner or delegate modified an inbox rule in Outlook web app.
SoftDelete	A mailbox item was soft-deleted (moved to the Recoverable Items / Deleted Items dumpster and recoverable by the user).

_catch_all: Exchange mailbox activities (per-item) (catch-all)

RecordType: M365-ExchangeItem

Description

Catch-all for M365-ExchangeItem rules matching the RecordType but no specific Operation.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add-MailboxFolderPermission

RecordType: M365-ExchangeItem

Description

A permission entry was added to a mailbox folder (UAL operation AddFolderPermissions), granting a delegate access to a specific folder.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	in	`Add-MailboxFolderPermission`	1 rule	kusto, splunk
`Operation`	in	`Add-MailboxPermission`	1 rule	kusto
`Operation`	in	`New-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`New-ManagementRoleAssignment`	1 rule	kusto
`Operation`	in	`Set-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`Set-Mailbox`	1 rule	kusto
`Operation`	in	`Set-TransportRule`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Rare and potentially high-risk Office operations source low: Identifies Office operations that are typically rare and can provide capabilities useful to attackers.↳ also matches Add-MailboxPermission, New-InboxRule, Set-InboxRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add-MailboxPermission

RecordType: M365-ExchangeItem

Description

FullAccess (delegate) mailbox permission was granted, allowing another user to access the mailbox; logged as a mailbox activity even when an admin performs it.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	in	`Add-MailboxFolderPermission`	1 rule	kusto, splunk
`Operation`	in	`Add-MailboxPermission`	1 rule	kusto
`Operation`	in	`New-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`New-ManagementRoleAssignment`	1 rule	kusto
`Operation`	in	`Set-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`Set-Mailbox`	1 rule	kusto
`Operation`	in	`Set-TransportRule`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Mailbox High-Risk Permission Delegated source low: Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.

Kusto #

Rare and potentially high-risk Office operations source low: Identifies Office operations that are typically rare and can provide capabilities useful to attackers.↳ also matches Add-MailboxFolderPermission, New-InboxRule, Set-InboxRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

HardDelete

RecordType: M365-ExchangeItem

Description

A mailbox item was permanently deleted (hard-deleted) and is not recoverable from the Deleted Items folder.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange MFA Notification Email Deleted or Moved source low: Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.↳ also matches MoveToDeletedItems, SoftDelete

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

MoveToDeletedItems

RecordType: M365-ExchangeItem

Description

A mailbox item was moved to the Deleted Items folder.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange MFA Notification Email Deleted or Moved source low: Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.↳ also matches HardDelete, SoftDelete

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

New-InboxRule

RecordType: M365-ExchangeItem

Description

A mailbox owner or delegate created an inbox rule in Outlook web app, commonly abused for auto-forwarding or deletion of evidence.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`New-InboxRule`	3 rules	elastic
`EventType`	in	`Set-InboxRule`	3 rules	elastic
`Operation`	eq	`New-InboxRule`	3 rules	kusto, sigma, splunk
`m365::Parameters`	contains	`deletemessage`	3 rules	kusto, sigma
`m365::Parameters`	contains	`deleted items`	2 rules	kusto
`m365::Parameters`	contains	`junk email`	2 rules	kusto
`BodyContainsWords`	contains	`phishing`	2 rules	kusto
`BodyContainsWords`	contains	`alert`	1 rule	kusto
`BodyContainsWords`	contains	`suspicious`	1 rule	kusto
`BodyContainsWords`	contains	`do not click`	1 rule	kusto
`BodyContainsWords`	contains	`do not open`	1 rule	kusto
`BodyContainsWords`	contains	`fake`	1 rule	kusto
`Provider_Name`	eq	`Exchange`	2 rules	elastic
`SubjectContainsWords`	contains	`phishing`	2 rules	kusto
`SubjectOrBodyContainsWords`	contains	`phishing`	2 rules	kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Inbox Rules Creation Or Update Activity in O365 source medium: Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.↳ also matches Set-InboxRule

Elastic #

M365 Exchange Inbox Forwarding Rule Created source medium: Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.↳ also matches Set-InboxRule
M365 Exchange Inbox Rule with Obfuscated Name source medium: Identifies when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters. Adversaries may use obfuscated inbox rule names to evade detection, hide malicious forwarding or deletion rules, or blend in with benign audit noise. The rule name is parsed from "o365.audit.ObjectId", which encodes the mailbox identity and rule name separated by a backslash.↳ also matches Set-InboxRule
M365 Exchange Inbox Phishing Evasion Rule Created source medium: Identifies when a user creates a new inbox rule in Microsoft 365 that deletes or moves emails containing suspicious keywords. Adversaries who have compromised accounts often create inbox rules to hide alerts, security notifications, or other sensitive messages by automatically deleting them or moving them to obscure folders. Common destinations include Deleted Items, Junk Email, RSS Feeds, and RSS Subscriptions. This is a New Terms rule that triggers only when the user principal name and associated source IP address have not been observed performing this activity in the past 14 days.↳ also matches Set-InboxRule

Kusto #

Malicious BEC Inbox Rule source medium: 'Often times after the initial compromise in a BEC attack the attackers create inbox rules to delete emails that contain certain keywords related to their BEC attack. This is done so as to limit ability to warn compromised users that they've been compromised.
Malicious Inbox Rule source medium: Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/
Rare and potentially high-risk Office operations source low: Identifies Office operations that are typically rare and can provide capabilities useful to attackers.↳ also matches Add-MailboxFolderPermission, Add-MailboxPermission, Set-InboxRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-InboxRule

RecordType: M365-ExchangeItem

Description

A mailbox owner or delegate modified an inbox rule in Outlook web app.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`New-InboxRule`	3 rules	elastic
`EventType`	in	`Set-InboxRule`	3 rules	elastic
`Provider_Name`	eq	`Exchange`	2 rules	elastic
`Operation`	eq	`New-InboxRule`	1 rule	kusto, sigma, splunk
`Operation`	eq	`Set-InboxRule`	1 rule	sigma, splunk
`Operation`	in	`Add-MailboxFolderPermission`	1 rule	kusto, splunk
`Operation`	in	`Add-MailboxPermission`	1 rule	kusto
`Operation`	in	`New-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`New-ManagementRoleAssignment`	1 rule	kusto
`Operation`	in	`Set-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`Set-Mailbox`	1 rule	kusto
`Operation`	in	`Set-TransportRule`	1 rule	kusto
`m365::ObjectId`	is_not_null		1 rule	elastic
`m365::Parameters`	contains	`deletemessage`	1 rule	kusto, sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Inbox Rules Creation Or Update Activity in O365 source medium: Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.↳ also matches New-InboxRule

Elastic #

M365 Exchange Inbox Forwarding Rule Created source medium: Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.↳ also matches New-InboxRule
M365 Exchange Inbox Rule with Obfuscated Name source medium: Identifies when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters. Adversaries may use obfuscated inbox rule names to evade detection, hide malicious forwarding or deletion rules, or blend in with benign audit noise. The rule name is parsed from "o365.audit.ObjectId", which encodes the mailbox identity and rule name separated by a backslash.↳ also matches New-InboxRule
M365 Exchange Inbox Phishing Evasion Rule Created source medium: Identifies when a user creates a new inbox rule in Microsoft 365 that deletes or moves emails containing suspicious keywords. Adversaries who have compromised accounts often create inbox rules to hide alerts, security notifications, or other sensitive messages by automatically deleting them or moving them to obscure folders. Common destinations include Deleted Items, Junk Email, RSS Feeds, and RSS Subscriptions. This is a New Terms rule that triggers only when the user principal name and associated source IP address have not been observed performing this activity in the past 14 days.↳ also matches New-InboxRule

Kusto #

Rare and potentially high-risk Office operations source low: Identifies Office operations that are typically rare and can provide capabilities useful to attackers.↳ also matches Add-MailboxFolderPermission, Add-MailboxPermission, New-InboxRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

SoftDelete

RecordType: M365-ExchangeItem

Description

A mailbox item was soft-deleted (moved to the Recoverable Items / Deleted Items dumpster and recoverable by the user).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`LogonType`	Type of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
`MailboxOwnerUPN`	Email address of the person who owns the accessed mailbox.
`MailboxGuid`	Exchange GUID of the accessed mailbox.
`LogonUserSid`	SID of the user who performed the operation.
`ExternalAccess`	True if the logon user's domain differs from the mailbox owner's domain.
`ClientInfoString`	Information about the email client used (browser/Outlook version, mobile device info).
`ClientIPAddress`	IP address of the device used when the operation was logged.
`ClientProcessName`	The email client used to access the mailbox.
`SessionId`	Unique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange MFA Notification Email Deleted or Moved source low: Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.↳ also matches HardDelete, MoveToDeletedItems

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)