This rule detects when a safe attachment rule in Microsoft 365 is disabled, potentially exposing the environment to malware threats. Safe attachment rules enhance security by analyzing email attachments in a hypervisor environment. Disabling such a rule can suggest malicious activity, including data exfiltration or defense evasion by an insider or an adversary. The rule monitors for specific actions in Microsoft 365 audit logs, particularly the action 'Disable-SafeAttachmentRule', to identify the initiation of this change. The rule incorporates various elements of investigation, which include checking user actions, the outcome of disabling the rule, and any suspicious activities that might accompany this event. False positives may occur during legitimate administrative actions; therefore, the implementation of exception management is recommended. In case a rule is disabled, immediate re-enabling is advised along with an investigation into recent logs and potential security incidents, to mitigate risks posed by harmful attachments that could have bypassed scrutiny during this period.