M365 Exchange MFA Notification Email Deleted or Moved

  1[metadata]
  2creation_date = "2026/02/25"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/02/25"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in
 11Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the
 12notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This
 13technique is commonly observed in business email compromise (BEC) and account takeover attacks.
 14"""
 15false_positives = [
 16    "Users legitimately deleting MFA notification emails after reviewing them.",
 17    "Automated mailbox rules that move security notifications to specific folders.",
 18    "Email retention policies that automatically delete old notification emails.",
 19]
 20from = "now-9m"
 21index = ["filebeat-*", "logs-o365.audit-*"]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "M365 Exchange MFA Notification Email Deleted or Moved"
 25note = """## Triage and Analysis
 26
 27### Investigating M365 Exchange MFA Notification Email Deleted or Moved
 28
 29This rule detects when emails containing MFA enrollment or security notification keywords are deleted or moved to deleted items. Attackers who gain access to an account and register their own MFA device will often immediately delete the notification email to prevent the legitimate user from detecting the compromise.
 30
 31#### Possible Investigation Steps
 32
 33- Identify the user whose mailbox had the email deleted and determine if they recently enrolled a new MFA device.
 34- Review Azure AD sign-in logs for the user around the time of the deletion for authentication anomalies.
 35- Check Azure AD audit logs for recent MFA method registrations or changes for this user.
 36- Review the source IP address and determine if it matches the user's typical access patterns.
 37- Look for other suspicious mailbox activities from the same session (inbox rules, email forwarding).
 38- Determine if the user was aware of and initiated the MFA enrollment that generated the notification.
 39
 40### False Positive Analysis
 41
 42- Users may legitimately delete MFA notification emails after reviewing and confirming the enrollment.
 43- Some organizations have mailbox rules that automatically organize or delete notification emails.
 44- Consider creating exceptions for users who frequently manage MFA enrollments (IT help desk).
 45
 46### Response and Remediation
 47
 48- If unauthorized MFA enrollment is confirmed, immediately remove the attacker's MFA method from the account.
 49- Revoke all active sessions and refresh tokens for the affected user.
 50- Reset the user's credentials and require reauthentication.
 51- Review inbox rules for any malicious forwarding or deletion rules.
 52- Check for data exfiltration or other malicious activities during the compromise window.
 53- Implement conditional access policies to restrict MFA registration to trusted locations/devices.
 54"""
 55references = [
 56    "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft"
 57]
 58risk_score = 21
 59rule_id = "c9636a6e-125e-11f1-9cd3-f661ea17fbce"
 60severity = "low"
 61tags = [
 62    "Domain: Cloud",
 63    "Domain: SaaS",
 64    "Data Source: Microsoft 365",
 65    "Data Source: Microsoft 365 Audit Logs",
 66    "Use Case: Threat Detection",
 67    "Tactic: Defense Evasion",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "eql"
 72
 73query = '''
 74web where event.dataset == "o365.audit" and
 75    event.provider == "Exchange" and
 76    event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and
 77    event.outcome == "success" and
 78    (
 79        o365.audit.AffectedItems.Subject like~ (
 80            /* new + (mfa|multi-|factor|method|device|security) */
 81            "*new mfa*", "*new multi*", "*new factor*", "*new method*", "*new device*", "*new security*",
 82            /* 2fa and 2-step */
 83            "*2fa*", "*2-step*",
 84            /* mfa + action verbs */
 85            "*mfa enroll*", "*mfa register*", "*mfa added*", "*mfa change*",
 86            "*mfa verify*", "*mfa update*", "*mfa activate*", "*mfa configure*", "*mfa setup*",
 87            /* factor + action verbs */
 88            "*factor enroll*", "*factor register*", "*factor added*", "*factor change*",
 89            "*factor verify*", "*factor update*", "*factor activate*", "*factor configure*", "*factor setup*",
 90            /* method + action verbs */
 91            "*method enroll*", "*method register*", "*method added*", "*method change*",
 92            "*method verify*", "*method update*", "*method activate*", "*method configure*", "*method setup*",
 93            /* device + action verbs */
 94            "*device enroll*", "*device register*", "*device added*", "*device change*",
 95            "*device verify*", "*device update*", "*device activate*", "*device configure*", "*device setup*",
 96            /* security + action verbs */
 97            "*security enroll*", "*security register*", "*security added*", "*security change*",
 98            "*security verify*", "*security update*", "*security activate*", "*security configure*", "*security setup*",
 99            /* Additional security notifications */
100            "*authenticator*", "*verification code*", "*security info*", "*security alert*"
101        ) and not
102        o365.audit.AffectedItems.Subject like~ ("*sign-in*", "*sign in*", "*log-in*", "*log in*", "*logon*")
103    )
104'''
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1070"
111name = "Indicator Removal"
112reference = "https://attack.mitre.org/techniques/T1070/"
113[[rule.threat.technique.subtechnique]]
114id = "T1070.008"
115name = "Clear Mailbox Data"
116reference = "https://attack.mitre.org/techniques/T1070/008/"
117
118
119[rule.threat.tactic]
120id = "TA0005"
121name = "Defense Evasion"
122reference = "https://attack.mitre.org/tactics/TA0005/"