Enable Auditing for Mailbox Rules
Auditing should include Mailbox Rules. Currently auditing doesn't show who created, edited, or deleted a rule. This is critical in shared mailboxes where multiple people have access to the mailbox and any number of them have this ability.
Rules need to be recoverable. I'm very disappointed that Microsoft has failed on this. Very poor planning on Microsoft's part, mails are already recoverable in this manner, it should be been extended to rules by default.
Get-RecoverableItems -Identity <username> -FilterItemType IPM.<whatever rules are>
+1. Same boat: been asked to find out who and when created an OOF rule in a generic mailbox with delegates.
Peter Jang commented
Absolutely we need this one.
Yes, please we have a lot of issues to know when a rule was created or deleted.
Steve Brogan commented
2 years and 2 versions of exchange later, still waiting...
Colin Gedgard commented
No, its not just Rule Creation (although that sounds like it fixed your use case). We use extensive rules and I've worked on some issues where the rule priority keeps changing. I've been working with ms support, but there is no way to find out who or what is changing the rule priority. For now I have a script running every few minutes that checks the rule priority and corrects it if it changes.
Zeff Wheelock commented
This has been added in most part where you can audit for mailbox rule creation. Can this be marked as completed?
Shane Gardner commented
For the last comment (from A on May 30th, 2018).....I would bet $1 their account was hacked and the hacker created that rule. Been seeing that from time to time.
Also to prove to users they are stupid.
User: "I'M NOT RECEIVING MY EMAILS!!!!!"
Admin: Looks like all the messages that were sent to you were received...and looks like they are being moved to trash by a rule you set up"
User: "I DIDN'T SET UP ANY RULE! I DON'T EVEN KNOW HOW TO DO THAT!!! YOU MUST HAVE DONE THAT!!! YOU JUST HAVE IT OUT FOR ME!!!"
*IF there was rule audit logs*
Admin: "Looks like you created this rule from this computer an hour ago....Don't be stupid."
User: ".....what ever."
Please microsoft. Please
+1 for this. Sometimes we need to audit rules other than ones that forward.
Zeff Wheelock commented
From the Secure Score in Office 365: "Review mailbox forwarding rules weekly" - You should review mailbox forwarding rules to external domains at least every week. There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by ***reviewing mail forwarding rule creation activity in the last week from the Audit Log Search***. While there are lots of legitimate uses of mail forwarding rules to other locations, it is also a very popular data exfiltration tactic for attackers. You should review them regularly to ensure your users' email is not being exfiltrated.
Seems they jumped the gun on that capability.
Our network was compromised and some version of a bot was adding rules to individual mailboxes that was moving emails to random folders and marking these emails as read. A rule auditor would allow us to see when it was created and who created it.
Adam K commented
Everyone loves more auditing! #OnPremMatters #KeepUrCloudforRainyDays #IfyouCantAuditYouCantManage
Jake Gordon commented
Yes! This would be such a benefit to me and my company! #OnPremMatters