Rule
Office 365 Unusual Volume of Emails Sent
Purpose
This detection triggers when 200+ emails have been sent out by this mailbox within 1 hour.
Objective
Detect unusually high volume of emails.
How to test
Use a test Office 365 account.
Create a script or manually send over 200 emails within one hour. This can be achieved using PowerShell or a bulk email-sending tool, such as the following:
import smtplib import time from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart # Office 365 SMTP server configuration smtp_server = "smtp.office365.com" smtp_port = 587 smtp_user = "your_email@domain.com" smtp_password = "your_password" # Email details subject = "Test Email" from_email = smtp_user to_email = "recipient_email@domain.com" body_template = "This is test email number {}." # Number of emails to send (e.g., 201 emails to trigger the alert) num_emails = 201 interval_seconds = 17 # Time between emails (adjust to send 200+ emails within 1 hour) def send_email(smtp_server, smtp_port, smtp_user, smtp_password, from_email, to_email, subject, body): # Create a MIME message msg = MIMEMultipart() msg['From'] = from_email msg['To'] = to_email msg['Subject'] = subject # Attach the body to the email msg.attach(MIMEText(body, 'plain')) # Connect to the SMTP server and send the email try: with smtplib.SMTP(smtp_server, smtp_port) as server: server.starttls() # Secure the connection server.login(smtp_user, smtp_password) server.sendmail(from_email, to_email, msg.as_string()) print(f"Email sent to {to_email}") except Exception as e: print(f"Failed to send email: {e}") if __name__ == "__main__": print(f"Starting to send {num_emails} emails...") for i in range(1, num_emails + 1): body = body_template.format(i) send_email(smtp_server, smtp_port, smtp_user, smtp_password, from_email, to_email, subject, body) # Wait for the specified interval before sending the next email time.sleep(interval_seconds) print(f"Completed sending {num_emails} emails.")