Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Auto-disable malicious inbox rules!
Published Oct 21 2020 02:52 PM 5,432 Views

Automation in Cloud App Security: Auto-disable Malicious Inbox Rule 


By @Caroline_Lee & @Sebastien Molendijk 


Welcome back to the Automation in Cloud App Security blog series. For those of you who have been keeping up with us, what do you think of the templates so far? Any feedback? If you are new to this series and are joining us for the first time, I encourage you to go check out our last three posts: & this series, we showcase various Power Automate flows that help to mitigate advanced customer scenarios we see today in Microsoft Cloud App Security (MCAS). 


Today, we have an awesome Power Automate template to share with you all on how to auto-disable malicious inbox forwarding rules.  


If you are unfamiliar with malicious inbox forwarding rule, attackers who gain access to a user’s credentials can create mailbox rules to forward emails to exfiltrate sensitive company data. MCAS has a built-in policy to detect this activity based on the learned behavior of a user and alert if they are potentially compromised. We walkthrough how users can investigate these types of anomalies in our investigation guide. 



We’ve taken it one step further by creating a flow that will auto-disable a malicious inbox rule if detected. The flow will initiate once an alert is generated in Cloud App Security. We’ll collect details on the compromised user, their manager, and we’ll call the MCAS API using the Provider Alert ID which is an internal ID to gain more information on the alert than what’s given by default.  


The most important value we see from the MCAS API is the “ruleName,” this show the inbox rule names which we’ll use to identify a malicious inbox rule i.e. “…” 


We will also call the Microsoft Graph to obtain a specific ID that correlates with the ruleIDUsing the ID retrieved from the Microsoft Graph API, ia malicious inbox rule is found, then the rule will be disabled. The flow will also resolve the alert in Cloud App Security and send an email to the user and the user’s manager to inform them that a remediation action was applied and the rule was disabled. 


Pairing this flow with the alert generated in Cloud App Security not only allows users to stay alert on rules that are exfiltrating data but goes one step further by disabling the rule itself. Let us know what you think of this template & if there are any use cases you’d like us to explore! 


Github template: 


Version history
Last update:
‎Nov 02 2021 04:47 PM
Updated by: