ChatOps topic guide: Suspicious mail rules

Push provides suspicious mail rule detection for Microsoft 365 and Google Workspace. With this ChatOps topic, you can work directly with employees to verify if they created a mail rule before spending precious time to investigate and triage.

If an employee confirms they didn't create the rule, Push will disable it where possible and notify your security team.

What kind of messages are sent?

When an external mail forwarding rule is created, Push will message the owner of the inbox asking if they just created it.

If the mail rule is legitimate, the creation will be fresh in their mind so the employee can confidently answer yes. If they don’t recognize the rule, the employee will answer no and Push will disable the rule automatically on Microsoft 365. Note: Google Workspace does not support disabling rules.

The employee will then receive a message to let them know that the rule is disabled, with the option to re-enable it if they made a mistake.

Here's an example message:

Who will be messaged?

Push will only send ChatOps messages to employees where ChatOps has been activated. You can activate ChatOps for employees from the Employees page or the ChatOps page of the admin console.

If you want your security team to receive a chat message when an employee confirms they don’t recognize a mail rule, enable the ChatOps topic for Potential account compromise alerts to send notifications to a specific channel in your messaging platform.

When will they be messaged?

The owner of the inbox will be messaged immediately after a suspicious mail rule is created.