AN0554: Analytic 0554
Suspicious rule creation within Outlook or Exchange clients, including auto-move or delete conditions tied to incident or security alert keywords. Defender perspective: correlation between missing inbound emails and newly added mailbox rules.
Analyst context for executives and security teams
This analytic is about mailbox rules in Outlook or Exchange that may hide security-relevant messages, such as incident or alert notifications, by moving or deleting them automatically. For leaders, the practical concern is not just email abuse; it is loss of visibility during an incident, delayed response decisions, and weakened audit evidence if critical notifications disappear from user or shared mailboxes.
Executive priority
Prioritize this as an identity, email security, and incident-response readiness issue. Security leaders should ask whether the organization can prove when mailbox rules are created or changed, who created them, and whether rules can suppress incident, security alert, or escalation messages. This matters for business continuity because missed alerts can delay containment, and for compliance because email-handling evidence may be needed during investigations or audits.
Technical view
Validate monitoring for suspicious rule creation within Office Suite environments, specifically Outlook or Exchange clients. Focus on newly added mailbox rules that auto-move, delete, or otherwise divert inbound messages containing incident, security alert, or similar response-related keywords. Because the supplied ATT&CK object provides no formal detection logic, teams should build correlation around two evidence points from the official description: new mailbox rules and reports or telemetry showing missing inbound emails.
Likely telemetry
- Mailbox rule creation, modification, and deletion audit events
- Exchange or Outlook client activity logs where available
- Message trace or mail-flow records showing delivery, movement, deletion, or forwarding outcomes
- Mailbox audit logs for affected users or shared mailboxes
- Helpdesk, SOC, or user reports of missing incident or security alert emails
Detection direction
- Confirm that mailbox rule changes are logged for user and shared mailboxes in the Office Suite environment.
- Alert or hunt for newly created rules with actions such as auto-move or delete, especially when rule conditions reference incident, alert, security, ticketing, or escalation terms.
- Correlate rule creation timing with missing inbound emails or unexpected absence of expected security notifications.
- Tune carefully for legitimate user productivity rules and administrative mailbox management; prioritize rules affecting security, incident-response, executive, finance, or shared operational mailboxes.
- Account for blind spots where client-side rules, limited mailbox auditing, retention gaps, or insufficient message trace history prevent reliable reconstruction.
Mitigation priorities
- Ensure mailbox auditing and message trace retention are enabled and sufficient for incident investigation needs.
- Restrict or review high-risk mailbox rule behaviors where policy allows, especially delete, move-to-obscure-folder, or rules affecting security notification mailboxes.
- Include mailbox rule review in incident-response playbooks for suspected account compromise or missing-alert scenarios.
- Establish periodic review of rules on high-value, shared, and incident-response-related mailboxes.
- Use identity and access controls, such as strong authentication and least privilege for mailbox administration, to reduce unauthorized rule creation risk.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and has no tactics or relationship context. Its value is strongest as a validation prompt for email telemetry and IR playbooks: can the SOC connect mailbox rule changes to missing security communications quickly enough to support response decisions?
Official detection logic is not provided, and no relationships, threat groups, campaigns, or active exploitation context were supplied. Local Microsoft 365, Exchange, or Outlook logging configuration determines whether this analytic is actionable. Keyword lists, rule severity, and false-positive handling must be adapted to the organization’s mail flow and incident-notification process.
Analytic 0554
Suspicious rule creation within Outlook or Exchange clients, including auto-move or delete conditions tied to incident or security alert keywords. Defender perspective: correlation between missing inbound emails and newly added mailbox rules.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f35a5b09a555… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0554Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.