OfficeActivity - Rare and potentially high-risk Office operations and automation

Hi, I actually have not changed this rule myself yet. But my initial thought is to look at the mailboxes being shared, and to which users. From my experience, the most common false positive for this is people sharing access to their mailbox for a short period because they are going on vacation or sick leave or something else. So I would not say it is malicious to share your inbox internally. However, if shared externally and to another domain it would be more suspicious.