This detection rule identifies when DomainKeys Identified Mail (DKIM) signing is disabled in Microsoft 365 Exchange Online. The DKIM protocol provides a method of validating the authenticity of email messages, ensuring that they are sent from authorized servers. Disabling DKIM can open an organization to risks such as email spoofing and phishing attacks. This rule monitors specific events within Microsoft 365 audit logs, looking for instances where DKIM signing configuration has been turned off. The rule applies KQL (Kibana Query Language) and focuses on events where the action 'Set-DkimSigningConfig' has successfully executed with parameters indicating that DKIM has been disabled. The rule is set against the defined indices for Office 365 logs and triggers upon detecting a successful change that may undermine email security. The maturity level of this rule is production, and it serves as a critical component for maintaining the integrity of email communications in the cloud environment.