This detection rule for Office 365 Mailbox Tampering targets suspicious activity involving a single user executing a combination of specific mailbox-related actions, namely AddFolderPermissions, UpdateInboxRules, and MailItemsAccessed, within a short time window (60 seconds). This behavior is indicative of potential malicious activity, as threat actors may utilize these techniques to establish persistence within a compromised mailbox, redirect emails to unauthorized recipients, or extract sensitive information stealthily. The rule employs a Splunk query that fetches relevant events from Office 365 audit logs and assesses the count of distinct event types triggered by the user in the defined timeframe, flagging those instances where all three actions are observed. Monitoring these activities can help detect and mitigate unauthorized access or manipulation of mailbox content, providing a crucial layer of security within the Office 365 environment.