The O365 BEC Email Hiding Rule Created detection rule is designed to identify potentially malicious activity related to the creation of inbox rules in Office 365, which can be an indicator of Business Email Compromise (BEC). The rule leverages the Office 365 management activity logs by searching for operations that create new inbox rules, specifically using the `New-InboxRule` command. The rule implements a scoring mechanism that evaluates various attributes typically associated with suspicious mailbox rules. These include the entropy of the rule name, its length, whether it marks emails as read, and the destination folder of moved emails. A combination of scores from these attributes leads to an overall suspicious score; a score above 2 triggers the detection mechanism. False positives may occur if mailbox rule names are too short, and thus the thresholds for scoring may need to be adjusted based on organizational context. Implementation requires the Splunk Microsoft Office 365 Add-on and the ingestion of relevant management activity events. This analytic aims to proactively mitigate the risks associated with BEC by alerting security teams to unusual mailbox rule creation activities.