Alert Policy for Inbox Rule Creation/Deletion/Modification
Currently O365 has an alert for forwarding/redirect rule within Security and Compliance Center. Considering that most phishing campaigns are crafted with someone setting up Inbox rules to move messages to another folder which are monitored, creating a man-in-the-middle attack. It would benefit tremendously to be alerted whenever a user creates/deletes/modify an inbox rule to prevent attacks before they happen.
Please add an alert for rules created. A common phishing technique creates a rule to redirect all email to the RSS folder.
Please add this, our company just experienced this twice. Where an inbox rule was created via web app and emails were routed to another mail box by a hacker. It would be great if admins were notified of this to help monitor.
it's good if we have alert or turn it off by ECP because we use outlook client.
user don't know when user lost username and password and hacker use to sent phishing.
This policy would be really helpful in determining any external/internal bad actors who succeeded in deleting the inbox-rules of the owner. It can affect the company's daily flow of mail and create communication issues within various departments. This policy is needed for auditing to ensure security of our users' email communications and in identifying any nefarious activities.
Steve Dague commented
This would be very useful.
Mikhail Molchanov commented
There was a menu in Security Center but it's gone now but you can still access it if you go directly to https://protection.office.com/managealerts. That's where you can create an alert you need. When creating an alert there for activity search for "New-InboxRule".
Roei Zamir commented
how do you set an alert for creation of new inbox role for redirect /fwd ?
The last two instances where our where an email account was compromised a inbox rule was created. Getting an alert on this would have significantly reduced our time to resolve the issue.
Appreciate your consideration.
Scott Slagle commented
Please add this - I have been asked to create this alert and it's unavailable
Chris Parr commented
Absolutely! The Audit log has entries for "New-InboxRule Create Inbox rule from Outlook Web App" and "Set-InboxRule...." an alert tied to those events and filtered on IP address to exclude known good IPs would be very useful and have very few false positives.