Overview
Records the creation of new inbox rules in Exchange Online mailboxes. Critical for detecting Business Email Compromise (BEC) attacks and malicious email forwarding.
When Generated:
- When users create new inbox rules via Outlook Web App
- When inbox rules are created programmatically
- During email forwarding setup attempts
- When automated email processing rules are established
Security Relevance:
High
Compliance:
SOC 2
GDPR
HIPAA
PCI DSS
NIST Cybersecurity Framework
Frequency Notes: Low frequency during normal business operations, with spikes during onboarding and organizational changes. Suspicious patterns include off-hours creation and rules targeting financial keywords.
Resources
Documentation
- Exchange Online Auditing Documentation official
- Microsoft 365 Unified Audit Log official
- Exchange Online Management Shell official
Tools
- Microsoft 365 Compliance Center - Web-based interface for searching and analyzing audit logs
- Exchange Online PowerShell - PowerShell module for Exchange Online management and auditing
- Microsoft Graph Security API - Programmatic access to Microsoft 365 security data including audit logs
Generation Configuration
Base Frequency: 5 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 3.0x
Night Hours Multiplier: 0.2x
Weekend Multiplier: 0.1x