The rule 'O365 Email New Inbox Rule Created' is designed to detect the creation of new email inbox rules in an Office 365 environment, which can indicate potential misuse by attackers attempting to manipulate email workflows or exfiltrate data. This detection logic is primarily based on the operations New-InboxRule and Set-InboxRule within the o365_management_activity data source. The rule identifies suspicious parameters associated with these operations such as mail forwarding, deletion of messages, obfuscation tactics, and other potentially risky actions performed within the Exchange Workload. Because inbox rule creation can be a standard user activity, the rule also takes into account legitimate usage to minimize false positives. The implementation requires the Splunk Microsoft Office 365 Add-on for event ingestion. Alerts generated will help security teams investigate unusual email behaviors linked to users' accounts, supporting incident response actions against potential security threats.