This rule is designed to detect the deletion of malware filter policies within Microsoft 365, particularly through Exchange services. Malware filter policies are essential for identifying and responding to malware threats in emails, signaling unauthorized behavior when deleted. The deletion action points to possible account compromises or attempts to bypass security measures. This detection rule specifically looks for events in the audit logs that indicate successful deletions of these policies, which could suggest a defense evasion tactic by malicious actors. Investigative measures include reviewing audit logs, determining the user responsible for the deletion, and assessing the legitimacy of this action. False positives may arise from legitimate administrator activities or automated scripts, which can be managed through logging and verification processes. Immediate response actions should involve isolating affected accounts, recreating deleted policies, and bolstering security measures to prevent further incidents. Links to Microsoft documentation and relevant MITRE ATT&CK techniques are provided to assist in understanding and mitigating the associated risks.