Techniques
Sample rules
M365 Exchange MFA Notification Email Deleted or Moved
- source: elastic
- technicques:
- T1070
Description
Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.
Detection logic
web where event.dataset == "o365.audit" and
event.provider == "Exchange" and
event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and
event.outcome == "success" and
(
o365.audit.AffectedItems.Subject like~ (
/* new + (mfa|multi-|factor|method|device|security) */
"*new mfa*", "*new multi*", "*new factor*", "*new method*", "*new device*", "*new security*",
/* 2fa and 2-step */
"*2fa*", "*2-step*",
/* mfa + action verbs */
"*mfa enroll*", "*mfa register*", "*mfa added*", "*mfa change*",
"*mfa verify*", "*mfa update*", "*mfa activate*", "*mfa configure*", "*mfa setup*",
/* factor + action verbs */
"*factor enroll*", "*factor register*", "*factor added*", "*factor change*",
"*factor verify*", "*factor update*", "*factor activate*", "*factor configure*", "*factor setup*",
/* method + action verbs */
"*method enroll*", "*method register*", "*method added*", "*method change*",
"*method verify*", "*method update*", "*method activate*", "*method configure*", "*method setup*",
/* device + action verbs */
"*device enroll*", "*device register*", "*device added*", "*device change*",
"*device verify*", "*device update*", "*device activate*", "*device configure*", "*device setup*",
/* security + action verbs */
"*security enroll*", "*security register*", "*security added*", "*security change*",
"*security verify*", "*security update*", "*security activate*", "*security configure*", "*security setup*",
/* Additional security notifications */
"*authenticator*", "*verification code*", "*security info*", "*security alert*"
) and not
o365.audit.AffectedItems.Subject like~ ("*sign-in*", "*sign in*", "*log-in*", "*log in*", "*logon*")
)