users legitimately deleting mfa notification emails after reviewing them.

Techniques

T1070

Sample rules

M365 Exchange MFA Notification Email Deleted or Moved

source: elastic
technicques:
- T1070

Description

Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.

Detection logic

web where event.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and
    event.outcome == "success" and
    (
        o365.audit.AffectedItems.Subject like~ (
            /* new + (mfa|multi-|factor|method|device|security) */
            "*new mfa*", "*new multi*", "*new factor*", "*new method*", "*new device*", "*new security*",
            /* 2fa and 2-step */
            "*2fa*", "*2-step*",
            /* mfa + action verbs */
            "*mfa enroll*", "*mfa register*", "*mfa added*", "*mfa change*",
            "*mfa verify*", "*mfa update*", "*mfa activate*", "*mfa configure*", "*mfa setup*",
            /* factor + action verbs */
            "*factor enroll*", "*factor register*", "*factor added*", "*factor change*",
            "*factor verify*", "*factor update*", "*factor activate*", "*factor configure*", "*factor setup*",
            /* method + action verbs */
            "*method enroll*", "*method register*", "*method added*", "*method change*",
            "*method verify*", "*method update*", "*method activate*", "*method configure*", "*method setup*",
            /* device + action verbs */
            "*device enroll*", "*device register*", "*device added*", "*device change*",
            "*device verify*", "*device update*", "*device activate*", "*device configure*", "*device setup*",
            /* security + action verbs */
            "*security enroll*", "*security register*", "*security added*", "*security change*",
            "*security verify*", "*security update*", "*security activate*", "*security configure*", "*security setup*",
            /* Additional security notifications */
            "*authenticator*", "*verification code*", "*security info*", "*security alert*"
        ) and not
        o365.audit.AffectedItems.Subject like~ ("*sign-in*", "*sign in*", "*log-in*", "*log in*", "*logon*")
    )