M365 Exchange MFA Notification Email Deleted or Moved

Status: production
Severity: low
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098.005` Account Manipulation: Device Registration
Stealth	`T1070.008` Indicator Removal: Clear Mailbox Data

Event coverage

Provider	Event
M365-ExchangeItem	HardDelete
M365-ExchangeItem	MoveToDeletedItems
M365-ExchangeItem	SoftDelete

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

O365 Email Hard Delete Excessive Volume (Splunk)
O365 Email Password and Payroll Compromise Behavior (Splunk)
O365 Email Receive and Hard Delete Takeover Behavior (Splunk)
O365 Email Send and Hard Delete Exfiltration Behavior (Splunk)
O365 Email Send and Hard Delete Suspicious Behavior (Splunk)

Rule body elastic

[metadata]
creation_date = "2026/02/25"
integration = ["o365"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in
Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the
notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This
technique is commonly observed in business email compromise (BEC) and account takeover attacks.
"""
false_positives = [
    "Users legitimately deleting MFA notification emails after reviewing them.",
    "Automated mailbox rules that move security notifications to specific folders.",
    "Email retention policies that automatically delete old notification emails.",
]
from = "now-9m"
index = ["filebeat-*", "logs-o365.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "M365 Exchange MFA Notification Email Deleted or Moved"
note = """## Triage and Analysis

### Investigating M365 Exchange MFA Notification Email Deleted or Moved

This rule detects when emails containing MFA enrollment or security notification keywords are deleted or moved to deleted items. Attackers who gain access to an account and register their own MFA device will often immediately delete the notification email to prevent the legitimate user from detecting the compromise.

#### Possible Investigation Steps

- Identify the user whose mailbox had the email deleted and determine if they recently enrolled a new MFA device.
- Review Azure AD sign-in logs for the user around the time of the deletion for authentication anomalies.
- Check Azure AD audit logs for recent MFA method registrations or changes for this user.
- Review the source IP address and determine if it matches the user's typical access patterns.
- Look for other suspicious mailbox activities from the same session (inbox rules, email forwarding).
- Determine if the user was aware of and initiated the MFA enrollment that generated the notification.

### False Positive Analysis

- Users may legitimately delete MFA notification emails after reviewing and confirming the enrollment.
- Some organizations have mailbox rules that automatically organize or delete notification emails.
- Consider creating exceptions for users who frequently manage MFA enrollments (IT help desk).

### Response and Remediation

- If unauthorized MFA enrollment is confirmed, immediately remove the attacker's MFA method from the account.
- Revoke all active sessions and refresh tokens for the affected user.
- Reset the user's credentials and require reauthentication.
- Review inbox rules for any malicious forwarding or deletion rules.
- Check for data exfiltration or other malicious activities during the compromise window.
- Implement conditional access policies to restrict MFA registration to trusted locations/devices.
"""
references = [
    "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft"
]
risk_score = 21
rule_id = "c9636a6e-125e-11f1-9cd3-f661ea17fbce"
severity = "low"
tags = [
    "Domain: Cloud",
    "Domain: SaaS",
    "Data Source: Microsoft 365",
    "Data Source: Microsoft 365 Audit Logs",
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
web where data_stream.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and
    event.outcome == "success" and
    (
        o365.audit.AffectedItems.Subject like~ (
            /* new + (mfa|multi-|factor|method|device|security) */
            "*new mfa*", "*new multi*", "*new factor*", "*new method*", "*new device*", "*new security*",
            /* 2fa and 2-step */
            "*2fa*", "*2-step*",
            /* mfa + action verbs */
            "*mfa enroll*", "*mfa register*", "*mfa added*", "*mfa change*",
            "*mfa verify*", "*mfa update*", "*mfa activate*", "*mfa configure*", "*mfa setup*",
            /* factor + action verbs */
            "*factor enroll*", "*factor register*", "*factor added*", "*factor change*",
            "*factor verify*", "*factor update*", "*factor activate*", "*factor configure*", "*factor setup*",
            /* method + action verbs */
            "*method enroll*", "*method register*", "*method added*", "*method change*",
            "*method verify*", "*method update*", "*method activate*", "*method configure*", "*method setup*",
            /* device + action verbs */
            "*device enroll*", "*device register*", "*device added*", "*device change*",
            "*device verify*", "*device update*", "*device activate*", "*device configure*", "*device setup*",
            /* security + action verbs */
            "*security enroll*", "*security register*", "*security added*", "*security change*",
            "*security verify*", "*security update*", "*security activate*", "*security configure*", "*security setup*",
            /* Additional security notifications */
            "*authenticator*", "*verification code*", "*security info*", "*security alert*"
        ) and not
        o365.audit.AffectedItems.Subject like~ ("*sign-in*", "*sign in*", "*log-in*", "*log in*", "*logon*")
    )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"

[[rule.threat.technique.subtechnique]]
id = "T1070.008"
name = "Clear Mailbox Data"
reference = "https://attack.mitre.org/techniques/T1070/008/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.005"
name = "Device Registration"
reference = "https://attack.mitre.org/techniques/T1098/005/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

Stages and Predicates

Stage 1: `web`

web where data_stream.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and
    event.outcome == "success" and
    (
        o365.audit.AffectedItems.Subject like~ (
            "*new mfa*", "*new multi*", "*new factor*", "*new method*", "*new device*", "*new security*",
            "*2fa*", "*2-step*",
            "*mfa enroll*", "*mfa register*", "*mfa added*", "*mfa change*",
            "*mfa verify*", "*mfa update*", "*mfa activate*", "*mfa configure*", "*mfa setup*",
            "*factor enroll*", "*factor register*", "*factor added*", "*factor change*",
            "*factor verify*", "*factor update*", "*factor activate*", "*factor configure*", "*factor setup*",
            "*method enroll*", "*method register*", "*method added*", "*method change*",
            "*method verify*", "*method update*", "*method activate*", "*method configure*", "*method setup*",
            "*device enroll*", "*device register*", "*device added*", "*device change*",
            "*device verify*", "*device update*", "*device activate*", "*device configure*", "*device setup*",
            "*security enroll*", "*security register*", "*security added*", "*security change*",
            "*security verify*", "*security update*", "*security activate*", "*security configure*", "*security setup*",
            "*authenticator*", "*verification code*", "*security info*", "*security alert*"
        ) and not
        o365.audit.AffectedItems.Subject like~ ("*sign-in*", "*sign in*", "*log-in*", "*log in*", "*logon*")
    )

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`o365.audit.AffectedItems.Subject`	match	`sign-in`, `sign in`, `log-in`, `log in`, `logon`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	eq	`o365.audit`
`event.action`	in	`HardDelete` `MoveToDeletedItems` `SoftDelete`
`event.outcome`	eq	`success`
`event.provider`	eq	`Exchange`
`o365.audit.AffectedItems.Subject`	wildcard	`2-step` `2fa` `authenticator` `device activate` `device added` `device change` `device configure` `device enroll` `device register` `device setup` `device update` `device verify` `factor activate` `factor added` `factor change` `factor configure` `factor enroll` `factor register` `factor setup` `factor update` `factor verify` `method activate` `method added` `method change` `method configure` `method enroll` `method register` `method setup` `method update` `method verify` `mfa activate` `mfa added` `mfa change` `mfa configure` `mfa enroll` `mfa register` `mfa setup` `mfa update` `mfa verify` `new device` `new factor` `new method` `new mfa` `new multi` `new security` `security activate` `security added` `security alert` `security change` `security configure` `security enroll` `security info` `security register` `security setup` `security update` `security verify` `verification code`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

M365 Exchange MFA Notification Email Deleted or Moved

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `web`

Exclusions

Indicators

Keyboard shortcuts

Search operators

M365 Exchange MFA Notification Email Deleted or Moved

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: web

Exclusions

Indicators

Stage 1: `web`