<  Back to rules search

Microsoft 365 Anomalous Amount of Deleted Emails

microsoft-365

Classification:

attack

Tactic:

TA0040-impact

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.

Strategy

Monitor Microsoft 365 Exchange audit logs to look for events with an @evt.name value of HardDelete, where the @Folder.Path is the inbox (*Inbox*).

Triage and response

  1. Determine if the user {{@usr.id}} intended to delete the observed emails.
  2. If {{@usr.id}} is not responsible for the email deletions, investigate {{@usr.id}} for anomalous activity. If necessary, initiate your company’s incident response (IR) process.