Exchange email-hiding inbox rule

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-06-24

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Office 365 Audit
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Hide Artifacts: Email Hiding Rules (T1564.008)
Severity	Informational

Description

A user configured an Exchange inbox rule that may be used to hide emails.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
Check if the rule keywords look suspicious.
Investigate the IP address associated with the rule.
Follow further actions done by the account.
Check for a possible phishing campaign on the organization.
Look for multiple instances of email hiding, which may be an indication of a larger campaign.
Check if the user regularly configures inbox rules.

Variations

Possible BEC Exchange email-hiding inbox rule

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Hide Artifacts: Email Hiding Rules (T1564.008)
Severity	Medium

Description

A user configured an Exchange inbox rule that may be used to hide emails. The rule contains characteristics that resemble a business email compromise (BEC) attack.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
Check if the rule keywords look suspicious.
Investigate the IP address associated with the rule.
Follow further actions done by the account.
Check for a possible phishing campaign on the organization.
Look for multiple instances of email hiding, which may be an indication of a larger campaign.
Check if the user regularly configures inbox rules.

Suspicious Exchange email-hiding inbox rule

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Hide Artifacts: Email Hiding Rules (T1564.008)
Severity	Medium

Description

A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
Check if the rule keywords look suspicious.
Investigate the IP address associated with the rule.
Follow further actions done by the account.
Check for a possible phishing campaign on the organization.
Look for multiple instances of email hiding, which may be an indication of a larger campaign.
Check if the user regularly configures inbox rules.

Abnormal Exchange email-hiding inbox rule

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Hide Artifacts: Email Hiding Rules (T1564.008)
Severity	Low

Description

A user configured an Exchange inbox rule that may be used to hide emails.

Attacker's Goals

Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).

Investigative actions

Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
Check if the rule keywords look suspicious.
Investigate the IP address associated with the rule.
Follow further actions done by the account.
Check for a possible phishing campaign on the organization.
Look for multiple instances of email hiding, which may be an indication of a larger campaign.
Check if the user regularly configures inbox rules.