Old "activity alerts" broken?

Question

A couple of years ago, we created notification alerts to be notified if a user creates a rule in their mailbox. We did this because this is a common action taken by malicious/unauthorized actors and although it yielded some noise, it did serve a purpose.

Starting yesterday at 4/29, we started receiving alerts from various mailboxes that were all false alarms, no rules created, not suspect access checking logs like this:

---

Subject: Notification for the alert '[RULE NAME REDACTED]' from email address removed for privacy reasons

We detected activity related to one of your alerts|

You're getting this message because there's activity in your Microsoft 365 organization that matches the alert 'RULE NAME REDACTED'.

Activity: Send

User: email address removed for privacy reasons

Client IP address: xxx.xxx.xxx.xxx

Time of activity (UTC): 4/30/2024 12:29:46 AM

What's Next?

Search the audit log for this user

Search the audit log for this activity

Search the audit log for other activities that would trigger this alert

NOTE: There might be more activity related to this alert since you received this email. Search the audit log to show all recent activity.

Need help searching the audit log? Check out Search the audit log in the Microsoft Purview compliance portal

Thanks,

The Microsoft 365 team

---

Sadly the links they presented are all out-of-date and don't go anywhere useful. So I went to check on the status of the rule at Activity alerts - Microsoft Defender and then got a screen like attached.

I know that message about "We are working on a better experience for you to manage and view security and compliance alerts" has been there for years but "Client Error" "request failed with status code 400" is new. I can click through the error and click rule, but I can only enable or disabled it. I can't adjust or have visibility into the rule. We haven't changed anything with this since 2021 when the alert rule was created. We remain on a E3/P1 license and can see there are other means in other parts of the admin interface (not here) to create an alert for the creation of forwarded e-mail rules; but hat's not useful, with the fraud we've encountered/documented with vendors/clients, often there are internal rules created in the mailbox to hide content from the account-holder.

Has anyone else encountered this, we're getting a handful of these alerts per day. I opened a ticket with Microsoft via the admin console 36 hours ago and haven't heard anything (based on previous experience, maybe next week?)

I'm checking to see if something changed with permission requirements for this, but hadn't found anything. Also, I checked permissions, this is the account that created the rule in 2021.

rob-baker · Answer

jcrowland&nbsp;I also can no longer edit the Activity Alerts in our tenant. Please let me know if you ever find out an answer to this issue as we have old activity alerts that the recipient needs to be adjusted. Even as a Global Admin I cannot make edits to those specific policies in the old Activity Alerts area.&nbsp;

jcrowland · Answer

jcrowland&nbsp;I've opened a ticket with Microsoft support through the admin portal, but we're on day three with no response at all.&nbsp; Something changed on Microsoft's side and cannot find any documentation to explain this behavior, so that's why I'm sharing here.

kidd_ip · Answer

jcrowland&nbsp;
&nbsp;
Can you raise the ticket severity if it was impacting your business? Did you purchase via CSP?

jcrowland · Answer

I've purchased my E3/P1 licenses directly from Microsoft. The support took 3 days to answer and then took screenshots and since then just more circular requests for screenshots of the admin portal and e-mail headers from the alert e-mails (which had already been gathered via screensharing.) My pleas to escalate because nothing has changed with our configuration or the alerts for several years, so far seem to be pleas to a process built to prevent/discourage escalation.

jcrowland · Answer

Microsoft has definitely broken something here. It isn't permissions. My issue has be 'escalated' by support which means 7+ days without any further activity, did get confirmation that it seems to be a Microsoft issue. Hopefully someone reads Satya Nadella's memo on putting security first on the team that hobbled these features as they shift them around (to facilitate an upsell in licensing.)

Forum Discussion

Old "activity alerts" broken?