ChatOps topics: Suspicious mail rules

Use ChatOps to message employees when suspicious mail rules are created to find out if they created them - if they didn’t, Push will disable the rule and notify your security team.

Not sure what ChatOps is? Find out more here.

What kind of messages are sent?

When a suspicious mail rule is created Push will message the owner of the inbox asking if they just created it. If the mail rule is legitimate, the creation will be fresh in their mind so the employee can confidently answer yes. If they don’t recognize the rule, the employee will answer no and Push will disable the rule (this is only possible on Microsoft 365, Google Workspace does not support disabling rules and so we don't modify the rule). Users receive a message informing them the rule is disabled, with the option to re-enable if they made a mistake.

Here's an example message they will receive:

ChatOps topics: mail rules - example message
An example ChatOps message an employee would receive if a suspicious mail rule is created in their inbox

Who will be messaged?

Push will only send ChatOps messages to employees where ChatOps has been activated. You can activate ChatOps for employees from the Employees page or the ChatOps page of the admin console.

If you want your security team to receive a chat message when an employee confirms they don’t recognize a mail rule, enable the ChatOps topic for Potential account compromise alerts to send notifications to a specific channel in your messaging platform.

When will they be messaged?

The owner of the inbox will be messaged immediately after a suspicious mail rule is created, if they have ChatOps enabled.

Any other questions?

If you’d like to know more about this chat topic, or ChatOps generally, feel free to contact us.