Microsoft 365 Anomalous Amount of Deleted Emails

microsoft-365

Classification:

attack

Tactic:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for events with an @evt.name value of HardDelete, where the @Folder.Path is the inbox (*Inbox*).

Triage and response

  1. Determine if the user {{@usr.id}} intended to delete the observed emails.
  2. If {{@usr.id}} is not responsible for the email deletions, investigate {{@usr.id}} for anomalous activity. If necessary, initiate your company’s incident response (IR) process.
PREVIEWING: may/unit-testing