The title, essentially. It appears to be an anti-forensics measure. The only thing I can think of is it would prevent recovery of deleted rules. Any thoughts/experiences?
The outlook rules are also documented in the M365 audit logs. So yes, it’s anti-forensics. But pretty weak. I haven’t seen a TA delete the rules…but commonly see the TA create the rules. Honestly, I don’t see much antiforensics in the wild. They come in. Do damage. Leave. That’s how most of my engagements go.
Oh, and they love to maintain persistance. So by leave, I really mean, they leave a mess and if you don’t work hard to kick them out, they’ll set themselves up for round 2 of damage in a few months.
In case anyone happens on here wondering why that happened. The “Outlook Rules Organizer” object is what stores the details of the client-side rules. If it didn’t delete this then it is possible that some client rule would fire first and thereby alerting you to the attack.