Product
M365 Exchange Inbox Rule with Obfuscated Name
2 rules 2 TTPsThis rule detects when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters, which adversaries may use to evade detection and hide malicious forwarding or deletion rules.
Microsoft Exchange Server Vulnerability Could Allow Arbitrary Code Execution
2 rules 1 TTPA vulnerability in Microsoft Exchange Server allows for arbitrary code execution, potentially enabling attackers to execute malicious JavaScript within a user's browser context to steal data or install malware.
CVE-2026-42897 Microsoft Exchange Server Cross-Site Scripting Vulnerability
2 rules 2 TTPsCVE-2026-42897 is a cross-site scripting (XSS) vulnerability in Microsoft Exchange Server that allows an attacker to perform spoofing attacks by injecting malicious scripts into web pages.
Suspicious Processes Spawned by Microsoft Exchange Worker Process
2 rules 2 TTPsDetects suspicious processes spawned by the Microsoft Exchange Server worker process (w3wp.exe), potentially indicating exploitation or web shell activity.
Windows Shell Execution from IIS Installation Directory
2 rules 2 TTPsDetection of command-line tools executing from the IIS installation directory on Windows systems, potentially indicating exploitation of IIS-reliant software like Microsoft Exchange.
New ActiveSync Allowed Device Added via PowerShell
2 rules 3 TTPsThe rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.