This rule detects creation or modification of Microsoft 365 Exchange inbox rules where the rule name, extracted from o365.audit.ObjectId (mailbox path and rule name separated by a backslash), consists solely of special characters. The detection logic parses the ObjectId using a grok pattern to derive Esql.inbox_rule_name and then filters for names that match a regex of only symbols. This obfuscated naming is commonly used by adversaries to obscure malicious forwarding, deletion, or evasion actions from security tooling and the Microsoft 365 compliance portal. The rule triggers on successful New-InboxRule or Set-InboxRule events and surfaces additional context from o365.audit.Fields such as UserId, ForwardTo, RedirectTo, and other Parameters to assess potential abuse (e.g., external forwarding, deletion, or moves). The rule is mapped to MITRE ATT&CK techniques T1564.008 (Hide Artifacts: Email Hiding Rules) and T1137.005 (Office Application Startup: Outlook Rules) under Defense Evasion and Persistence. Investigation guidance emphasizes validating the parsed rule identity, correlating the actor with sign-in logs, reviewing rule actions (ForwardTo, RedirectTo, DeleteMessage, MoveToFolder, SubjectContainsWords), and hunting for additional rules from the same user/IP. False positives may arise from legitimate automation or third-party tools that create symbol-rich rule names; document approved scripts and exclude them as needed. Remediation steps include removing unauthorized rules, resetting user credentials, and scanning the tenant for further malicious inbox or transport rules. The rule’s risk score is 47 and its severity is medium, indicating a notable but not critical threat requiring prompt verification. Relevant references include Microsoft’s security blog on AI-enabled campaigns.