Supported Anomalies
Critical Anomalies
New delete-all-emails rule
This anomaly inspects new rules configured to delete all the incoming emails. It detects potential malicious configuration to delete all the incoming emails. This behavior may indicate an account takeover.
This anomaly has the highest impact.
Users Sending Malicious Emails
This anomaly is triggered when an internal user sends a phishing or spam email to internal and/or external recipients.
Using exceptions, administrators can disable this anomaly for a specific user or for all users.
Move all emails to a subfolder
This anomaly inspects new rules configured to move all the incoming emails to a subfolder. It detects possible malicious configurations to move all the incoming emails to a specific subfolder. This behavior could indicate an account takeover.
AI-Based Detection of Anomalous Logins
This anomaly uses an AI engine designed to inspect all the parameters of login events to pinpoint those that malicious actors do.
The AI engine inspects a variety of parameters, including IP address, browser type, browser version, device, VPN brand, etc.
Login events detected by this AI engine flag the corresponding users as compromised.
Login from Malicious IP Address
This anomaly detects the compromised accounts based on the IP address from which attackers logged into Microsoft 365.
Users logging into Microsoft 365 from IP addresses detected as sources of phishing emails or from the IP address known to Check Point as malicious will be flagged as compromised.