O365 Email Security Feature Changed

name: O365 Email Security Feature Changed
id: 4d28013d-3a0f-4d65-a33f-4e8009fee0ae
version: 9
date: '2026-03-10'
author: Steven Dick
status: production
type: TTP
description: The following analytic identifies when specific O365 advanced security settings are altered within the Office 365 tenant. If an attacker successfully disables O365 security settings, they can operate within the tenant with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail.
data_source:
    - Office 365 Universal Audit Log
search: |-
    `o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") Operation IN ("*AntiPhish*","*SafeLink*","*SafeAttachment*","*Malware*")
      | rename Id as object_id, UserId as user, Operation as signature, ObjectId as object
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest user src
           vendor_account vendor_product signature
           object_id object
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `o365_email_security_feature_changed_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Administrators might alter features for troubleshooting, performance reasons, or other administrative tasks. Filter as needed.
references:
    - https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults
    - https://attack.mitre.org/techniques/T1562/008/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: An O365 security object [$object$] was altered by user $user$ using $signature$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Persistence Mechanisms
        - Office 365 Account Takeover
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1562.001
        - T1562.008
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log
          sourcetype: o365:management:activity
          source: o365