This detection rule identifies and alerts on suspicious emails that are delivered to users within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine. It specifically focuses on emails that are flagged as suspicious by built-in Office 365 detection capabilities, such as Safe Attachments and Safe Links, which further enhance the detection and response mechanisms available. The rule uses data from the O365 Universal Audit Log and aggregates relevant information about the suspicious emails, including sender details, recipients, subject, and potential threats detected via the email. Understanding the nature of these emails is critical since attackers often utilize email as a vector for various attacks, including phishing attempts and malware delivery. The rule is intended for organizations using the Splunk platform and requires the installation of the Splunk Microsoft Office 365 Add-on for ingestion of relevant audit log data. It is particularly relevant for E3/E5 level Office 365 customers who have access to advanced security features.