This detection rule identifies when a Safe Link policy is disabled in Microsoft 365, which is a critical security feature that provides phishing protection by scanning hyperlinks in documents, even after they are delivered to a user. The rule is necessary because disabling the Safe Link policy increases the risk of phishing attacks, as it allows adversaries to deliver malicious links without being flagged by the system. The rule utilizes event logs specifically from Microsoft 365 Exchange to indicate any action related to disabling Safe Links, ensuring that security analysts can investigate any potential unauthorized changes. The rule is designed with a risk score of 47 and categorized under 'Medium' severity, allowing security teams to prioritize their response appropriately. It is integrated with the Microsoft 365 data source and tagged accordingly for efficient analysis and management.