This event is raised whenever Office Protect detects a suspicious inbox rule created or updated on a mailbox.


When hackers gain access to Exchange user accounts, they might create inbox rules to:

  • Divert specific emails away from the user's inbox, such as security alerts, password reset requests or answers from the end target, they can decrease the likelihood of the user noticing any suspicious activity.
  • Exfiltrate data: by setting up rules to forward certain types of emails to an external email address controlled by the hacker, they can steal sensitive information without directly accessing the inbox, thus avoiding detection.
  • Provide persistence: even if the user changes their password or the account is otherwise secured, the hacker can maintain access by using these rules. This ensures continued access to valuable information over an extended period.
  • Exploit them for spamming and phishing purposes. By automatically responding to or forwarding incoming emails, they can distribute spam or phishing messages to contacts in the user's address book, thereby expanding their reach and potential for further compromise.


Creating or updating an inbox rule that is not properly named, or that moves messages to specific folders that are typically less frequently checked by users, such as RSS Feeds or Archive, should raise a red flag.



Remediation


1. Review the inbox rule details (detailed in the event description) and consider removing it.

2. If the inbox rule is deemed malicious, consider disabling all of the impacted account's inbox rules until they've been reviewed, to limit an eventual impact. You can disable inbox rules from the event's details page, Remediation tab, Block user.


3. Review who performed the action (detailed in the event description), and consider blocking the user and resetting their password if the action was unexpected.


4. Review the Office Protect events related to the user from the Report section, and review the user's activity.



Operations to look for in the unified audit logs:


  • New-InboxRule
  • Set-InboxRule



Remove an inbox rule from PowerShell:


https://learn.microsoft.com/en-us/powershell/module/exchange/remove-inboxrule?view=exchange-ps