This detection rule identifies instances where a user in Microsoft 365 creates an inbox rule that may delete or move emails containing specific suspicious keywords. These types of rules are often a tactic used by adversaries who have compromised accounts to conceal important security notifications or alerts. The rule triggers under conditions where the unique combination of the user's principal name and source IP has not previously exhibited such activity within a 14-day period. The keywords typically associated with these rules include terms like 'invoice', 'payment', and 'security'. Leads generated by this rule should be investigated thoroughly to establish whether the creation was legitimate or malicious. Confirmations of action outcomes, unusual IP addresses, and further correspondence behaviors can help in assessing the overall security of the user account and their mailbox.