From 3c9f298602e46c28fd4638d654e55ab5e2f11f93 Mon Sep 17 00:00:00 2001
From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com>
Date: Fri, 14 Feb 2025 19:52:18 +0000
Subject: [PATCH] o365 Suspicious Mailbox Rule Created

---
 .../T1564.008/o365/o365_suspicious_mailbox_rule.log   |  3 +++
 .../T1564.008/o365/o365_suspicious_mailbox_rule.yml   | 11 +++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
 create mode 100644 datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml

diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
new file mode 100644
index 00000000..62d2b5ee
--- /dev/null
+++ b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d379909545e2d03fd0334e1c498f15189b999dd0722d032028ec0fc34567f075
+size 1440
diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml
new file mode 100644
index 00000000..424cd4c7
--- /dev/null
+++ b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml
@@ -0,0 +1,11 @@
+author: 0xC0FFEEEE
+id: 54715c41-4283-44f7-a327-fbd230d83c60
+date: '2025-02-14'
+description: 'Detection of suspicious mailbox rule creation.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1564/008/
\ No newline at end of file