This detection rule identifies the creation of transport rules within Microsoft 365 Exchange. These rules can manage email flows, including actions like forwarding messages based on predefined conditions. The potential security risk arises when malicious actors use these rules to exfiltrate sensitive data, directing emails outside of the organization. The rule monitors for the successful creation of any new transport rules by analyzing logs related to the Exchange service. Investigators are encouraged to review relevant audit logs to discern whether the changes made are legitimate administrative tasks or indicative of unauthorized access. False positives can occur if routine administrative activities or automated integrations trigger the rule. To mitigate this, the organization should establish baseline expectations for transport rule modifications and filter out known, legitimate changes. In case of detection, the organization should disable the new transport rule immediately and audit logs further to identify any suspicious activity related to transport rule alterations. This proactive approach helps maintain security within email systems, preventing data leakage through unauthorized channels.