🔥 3-day streak
Microsoft Security Operations Analyst132 / 190
Question 132 of 190

During an incident investigation, a user reports that emails they never sent appeared in their Sent Items, and colleagues received phishing messages from their account. You suspect an attacker created an inbox rule to auto-forward mail externally. Using Microsoft Purview Audit (Standard), which activity/operation should you search for to confirm that a mailbox rule was created by the compromised account?

Reviewed for accuracy · Report an issueNext question