SigmaHQ · marcopedrinazzi · Jan 26, 2026
diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml
@@ -1,14 +1,18 @@
 title: Mail Forwarding/Redirecting Activity In O365
 id: c726e007-2cd0-4a55-abfb-79730fbedee5
 status: test
-description: Detects email forwarding or redirecting acitivty in O365 Audit logs.
+description: Detects email forwarding or redirecting activity in O365 Audit logs.
 references:
     - https://redcanary.com/blog/email-forwarding-rules/
     - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
 author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t
 date: 2023-10-11
 modified: 2024-11-17
 tags:
+    - attack.collection
+    - attack.t1114.003
+    - attack.defense-evasion
+    - attack.t1564.008
     - attack.exfiltration
     - attack.t1020
     - detection.threat-hunting

diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_hiding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_hiding_activity.yml
@@ -0,0 +1,37 @@
+title: Mail Hiding Activity in O365
+id: d3577be1-42c9-44a7-b56e-2e8de97349d3
+status: experimental
+description: |
+    Detects email-hiding activity in O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks.
+    The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.
+    Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
+references:
+    - https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
+    - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
+author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
+date: 2026-01-09
+tags:
+    - attack.defense-evasion
+    - attack.t1564.008
+    - attack.exfiltration
+    - attack.collection
+    - attack.t1114.003
+    - detection.threat-hunting
+logsource:
+    service: audit
+    product: m365
+    definition: "Requirements: The 'Parameters' field is a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search"
+detection:
+    selection:
+        Operation:
+            - 'New-InboxRule'
+            - 'Set-InboxRule'
+        Parameters|contains:
+            - 'DeleteMessage'
+            - 'MarkAsRead'
+            - 'MoveToFolder'
+            - 'SubjectOrBodyContainsWords'
+    condition: selection
+falsepositives:
+    - Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.
+level: medium