title: Email Hiding Rules (T1564.008)
id: df00tech-t1564-008
status: experimental
description: "Adversaries may use email inbox rules to hide inbound emails in a compromised user's mailbox. Rules can automatically move messages to less-visible folders, mark them as read, or permanently delete them — preventing users and defenders from seeing security alerts, C2 communications, or replies to spearphishing emails sent from the compromised account. Attackers commonly filter on keywords such as 'malware', 'phish', 'hack', 'suspicious', and 'security' in subject lines and message bodies. Rules can be created through email clients (Outlook, OWA), Exchange PowerShell cmdlets (New-InboxRule, Set-InboxRule), Microsoft Graph API, or organization-wide Exchange transport rules. Real-world threat actors including Scattered Spider (OCTO TEMPEST) and FIN4 have used this technique to suppress security alerts and delay incident detection. Malicious rules targeting security personnel inboxes are particularly dangerous as they can suppress vendor security product notifications and SOC escalation emails."
references:
  - https://attack.mitre.org/techniques/T1564/008/
  - https://df00tech.com/detections/T1564.008
author: df00tech
date: 2026/03/12
tags:
  - attack.t1564.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators creating legitimate mail flow rules for routing, compliance archiving, or spam filtering via PowerShell automation scripts"
  - Help desk and support staff who create inbox rules for ticket system notifications or automated routing of service alerts
  - Legal and compliance teams creating retention rules or litigation hold configurations that move emails to specific folders
  - "Users creating personal organization rules with common words like 'alert' or 'notification' that overlap with security keyword lists"
  - "Automated onboarding scripts that create standard inbox rules for new user accounts (e.g., move newsletters to a folder)"
level: high