T1564.008 Email Hiding Rules Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousFilterTerms = dynamic([
  "malware", "phish", "phishing", "hack", "hacked", "suspicious",
  "security alert", "breach", "incident", "infected", "virus", "ransomware",
  "compromise", "unauthorized", "unusual sign-in", "unusual signin",
  "password reset", "account locked", "mfa", "multi-factor",
  "alert", "threat", "SOC", "SIEM", "security team", "IT security",
  "helpdesk", "abuse", "fraud", "intrusion", "vulnerability"
]);
// Detection path 1: Office 365 Unified Audit Log via OfficeActivity
let OfficeRuleEvents = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in~ ("New-InboxRule", "Set-InboxRule", "UpdateInboxRules",
                       "New-TransportRule", "Set-TransportRule", "Enable-TransportRule")
| extend ParametersStr = tostring(Parameters)
| extend HasSecurityKeywords = ParametersStr has_any (SuspiciousFilterTerms)
| extend HasDeleteAction = ParametersStr has_any ("DeleteMessage", "PermanentDelete", "MoveToDeletedItems")
| extend HasMoveAction = ParametersStr has_any ("MoveToFolder", "MoveToOtherFolder")
| extend HasMarkRead = ParametersStr has "MarkAsRead"
| extend HasBodyFilter = ParametersStr has_any ("BodyContainsWords", "SubjectOrBodyContainsWords", "SubjectContainsWords")
| extend HasFromFilter = ParametersStr has_any ("FromAddressContainsWords", "From", "SenderDomainIs")
| extend SuspicionScore = toint(HasSecurityKeywords) + toint(HasDeleteAction) + toint(HasMoveAction) + toint(HasMarkRead)
| where SuspicionScore >= 1 or HasBodyFilter
| project TimeGenerated, UserAccount = UserId, Source = "OfficeActivity",
          Operation, ClientIP, UserAgent,
          SuspicionScore, HasSecurityKeywords, HasDeleteAction,
          HasMoveAction, HasMarkRead, HasBodyFilter, HasFromFilter,
          RuleDetails = ParametersStr;
// Detection path 2: PowerShell-based inbox rule creation via MDE
let PowerShellRuleEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("New-InboxRule", "Set-InboxRule")
| extend HasSecurityKeywords = ProcessCommandLine has_any (SuspiciousFilterTerms)
| extend HasDeleteAction = ProcessCommandLine has_any ("-DeleteMessage", "-PermanentDelete", "-MoveToDeletedItems")
| extend HasMoveAction = ProcessCommandLine has_any ("-MoveToFolder", "-MoveToOtherFolder")
| extend HasMarkRead = ProcessCommandLine has "-MarkAsRead"
| extend HasBodyFilter = ProcessCommandLine has_any ("-BodyContainsWords", "-SubjectOrBodyContainsWords", "-SubjectContainsWords")
| extend SuspicionScore = toint(HasSecurityKeywords) + toint(HasDeleteAction) + toint(HasMoveAction) + toint(HasMarkRead) + 1
| project TimeGenerated = Timestamp, UserAccount = AccountName, Source = "DeviceProcessEvents",
          Operation = "PowerShell-InboxRule", ClientIP = DeviceName, UserAgent = InitiatingProcessFileName,
          SuspicionScore, HasSecurityKeywords, HasDeleteAction,
          HasMoveAction, HasMarkRead, HasBodyFilter, HasFromFilter = false,
          RuleDetails = ProcessCommandLine;
union OfficeRuleEvents, PowerShellRuleEvents
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Application Log: Office 365 Unified Audit Log Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint Microsoft Sentinel OfficeActivity

Required Tables

OfficeActivity DeviceProcessEvents

False Positives

IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)

Splunk

spl

(sourcetype="o365:management:activity"
  (Operation="New-InboxRule" OR Operation="Set-InboxRule" OR Operation="UpdateInboxRules"
   OR Operation="New-TransportRule" OR Operation="Set-TransportRule" OR Operation="Enable-TransportRule"))
OR
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*New-InboxRule*" OR CommandLine="*Set-InboxRule*")
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe"))
| eval SearchField=case(
    sourcetype="o365:management:activity", coalesce(Parameters, ""),
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", coalesce(CommandLine, ""),
    true(), "")
| eval SearchFieldLower=lower(tostring(SearchField))
| eval HasSecurityKeywords=if(match(SearchFieldLower,
    "(malware|phish|phishing|hack|hacked|suspicious|security alert|breach|incident|infected|virus|ransomware|compromise|unauthorized|unusual sign.in|password reset|account locked|\bmfa\b|multi.factor|\balert\b|\bthreat\b|\bsoc\b|\bsiem\b|security team|it security|helpdesk|abuse|fraud|intrusion|vulnerability)"),
    1, 0)
| eval HasDeleteAction=if(match(SearchFieldLower,
    "(deletemessage|permanentdelete|movetodeleteditems|-deletemessage|-permanentdelete)"),
    1, 0)
| eval HasMoveAction=if(match(SearchFieldLower,
    "(movetofolder|movetootherolder|-movetofolder|-movetoother)"),
    1, 0)
| eval HasMarkRead=if(match(SearchFieldLower, "(markasread|-markasread)"), 1, 0)
| eval HasBodyFilter=if(match(SearchFieldLower,
    "(bodycontainswords|subjectorBodycontainswords|subjectcontainswords|-bodycontainswords|-subjectorBodycontainswords|-subjectcontainswords)"),
    1, 0)
| eval SuspicionScore=HasSecurityKeywords + HasDeleteAction + HasMoveAction + HasMarkRead
| where SuspicionScore >= 1 OR HasBodyFilter=1
| eval UserAccount=coalesce(UserId, User, "unknown")
| eval SourceLabel=case(
    sourcetype="o365:management:activity", "O365 Audit",
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "PowerShell/Sysmon",
    true(), sourcetype)
| table _time, SourceLabel, UserAccount, Operation, src_ip, HasSecurityKeywords, HasDeleteAction, HasMoveAction, HasMarkRead, HasBodyFilter, SuspicionScore, SearchField
| sort - _time

high severity high confidence

Data Sources

Application Log: Office 365 Unified Audit Log Process: Process Creation Sysmon Event ID 1 Splunk Add-on for Microsoft Office 365

Required Sourcetypes

o365:management:activity XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)

Elastic Security (EQL)

eql

any where event.dataset == "o365.audit" and
  event.action : ("Set-InboxRule","New-InboxRule","Set-TransportRule") and
  (
    event.parameters : ("*DeleteMessage*","*MoveToFolder*","*Trash*","*Deleted Items*") or
    event.parameters : ("*SubjectContainsWords*","*SubjectOrBodyContainsWords*") and
    event.parameters : ("*malware*","*phish*","*password*","*breach*","*security*","*alert*","*incident*","*hack*")
  )

high severity high confidence

Data Sources

Microsoft 365 Audit Logs via Elastic O365 integration

Required Tables

logs-o365.audit-*

False Positives

IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "UserId" as User, "ClientIP" as SourceIP,
  "Operation" as Operation, "Parameters" as RuleParams,
  CASE WHEN "Parameters" ILIKE '%DeleteMessage%' THEN 10
       WHEN "Parameters" ILIKE '%MoveToFolder%' AND "Parameters" ILIKE '%(Deleted Items|Trash)%' THEN 9
       WHEN "Parameters" ILIKE '%(malware|phish|breach|security alert|hack)%' THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE "Operation" IN ('Set-InboxRule','New-InboxRule','New-TransportRule','Set-TransportRule')
  AND (
    "Parameters" ILIKE '%DeleteMessage%'
    OR ("Parameters" ILIKE '%MoveToFolder%' AND
        ("Parameters" ILIKE '%Deleted Items%' OR "Parameters" ILIKE '%Trash%'))
    OR ("Parameters" ILIKE '%SubjectContainsWords%' AND
        "Parameters" ILIKE ANY ('%malware%','%phish%','%security alert%','%breach%','%hack%'))
  )
ORDER BY RiskScore DESC, EventTime DESC

high severity high confidence

Data Sources

Office 365 Management Activity via QRadar DSM

Required Tables

events

False Positives

IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)

Sumo Logic CSE

sql

_sourceCategory=o365/audit
| json auto
| where Operation in ("Set-InboxRule","New-InboxRule","New-TransportRule","Set-TransportRule")
| eval params_lower = toLower(Parameters)
| eval is_delete = if(params_lower matches ".*deletemessage.*", 1, 0)
| eval is_move_trash = if(params_lower matches ".*movetofolder.*(deleted items|trash|junk).*", 1, 0)
| eval is_keyword_filter = if(
    params_lower matches ".*subjectcontainswords.*" AND
    params_lower matches ".*(malware|phish|security.alert|breach|hack|incident|infected|virus).*",
    1, 0)
| where is_delete == 1 OR is_move_trash == 1 OR is_keyword_filter == 1
| eval detection_type = case(is_delete == 1, "Rule_Deletes_Email",
    is_move_trash == 1, "Rule_Moves_To_Trash",
    is_keyword_filter == 1, "Rule_Filters_Security_Keywords", true(), "Suspicious_Inbox_Rule")
| table _time, UserId, ClientIP, Operation, Parameters, detection_type
| sort by _time desc

high severity high confidence

Data Sources

Office 365 Audit Logs via Sumo Logic O365 App

Required Tables

o365/audit

False Positives

IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)

Google Chronicle / SecOps

yaral

rule email_hiding_inbox_rule {
  meta:
    author = "Detection Engineering"
    description = "Detects email inbox rules hiding security alerts (T1564.008)"
    severity = "HIGH"
    tactic = "TA0005"

  events:
    $e.metadata.event_type = "EMAIL_TRANSACTION"
    $e.metadata.product_name = "Office 365"
    re.regex($e.metadata.product_event_type, `(?i)(Set-InboxRule|New-InboxRule|Set-TransportRule)`) nocase
    (
      re.regex($e.target.resource.attribute.labels.value, `(?i)(DeleteMessage|MoveToFolder)`) nocase or
      re.regex($e.target.resource.attribute.labels.value, `(?i)(malware|phish|breach|security.alert|hack|incident)`) nocase
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Microsoft 365 UDM Email Events

Required Tables

EMAIL_TRANSACTION

False Positives

IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "O365EmailRuleModified"
| (RuleAction = /DeleteMessage|MoveToFolder/i AND RuleDestination = /Deleted Items|Trash|Junk/i)
  OR (RuleCondition = /SubjectContainsWords/i AND
      RuleConditionValue = /(malware|phish|security.alert|breach|hack|incident|infected)/i)
| eval risk = case {
    RuleAction = /DeleteMessage/i : "critical";
    RuleCondition = /(malware|phish|breach)/i : "high";
    * : "medium"
  }
| table timestamp, UserName, ClientIP, RuleAction, RuleDestination, RuleCondition, RuleConditionValue, risk
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Identity Protection - O365

Required Tables

O365EmailRuleModified

False Positives

IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts
Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists
Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)

Email Hiding Rules

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections