diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
new file mode 100644
index 00000000..62d2b5ee
--- /dev/null
+++ b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d379909545e2d03fd0334e1c498f15189b999dd0722d032028ec0fc34567f075
+size 1440
diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml
new file mode 100644
index 00000000..424cd4c7
--- /dev/null
+++ b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml
@@ -0,0 +1,11 @@
+author: 0xC0FFEEEE
+id: 54715c41-4283-44f7-a327-fbd230d83c60
+date: '2025-02-14'
+description: 'Detection of suspicious mailbox rule creation.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1564/008/
\ No newline at end of file