Loading

M365 Exchange MFA Notification Email Deleted or Moved

Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.

Rule type: eql
Rule indices:

  • filebeat-*
  • logs-o365.audit-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule detects when emails containing MFA enrollment or security notification keywords are deleted or moved to deleted items. Attackers who gain access to an account and register their own MFA device will often immediately delete the notification email to prevent the legitimate user from detecting the compromise.

  • Identify the user whose mailbox had the email deleted and determine if they recently enrolled a new MFA device.
  • Review Azure AD sign-in logs for the user around the time of the deletion for authentication anomalies.
  • Check Azure AD audit logs for recent MFA method registrations or changes for this user.
  • Review the source IP address and determine if it matches the user's typical access patterns.
  • Look for other suspicious mailbox activities from the same session (inbox rules, email forwarding).
  • Determine if the user was aware of and initiated the MFA enrollment that generated the notification.
  • Users may legitimately delete MFA notification emails after reviewing and confirming the enrollment.
  • Some organizations have mailbox rules that automatically organize or delete notification emails.
  • Consider creating exceptions for users who frequently manage MFA enrollments (IT help desk).
  • If unauthorized MFA enrollment is confirmed, immediately remove the attacker's MFA method from the account.
  • Revoke all active sessions and refresh tokens for the affected user.
  • Reset the user's credentials and require reauthentication.
  • Review inbox rules for any malicious forwarding or deletion rules.
  • Check for data exfiltration or other malicious activities during the compromise window.
  • Implement conditional access policies to restrict MFA registration to trusted locations/devices.
web where event.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and
    event.outcome == "success" and
    (
        o365.audit.AffectedItems.Subject like~ (
            /* new + (mfa|multi-|factor|method|device|security) */
            "*new mfa*", "*new multi*", "*new factor*", "*new method*", "*new device*", "*new security*",
            /* 2fa and 2-step */
            "*2fa*", "*2-step*",
            /* mfa + action verbs */
            "*mfa enroll*", "*mfa register*", "*mfa added*", "*mfa change*",
            "*mfa verify*", "*mfa update*", "*mfa activate*", "*mfa configure*", "*mfa setup*",
            /* factor + action verbs */
            "*factor enroll*", "*factor register*", "*factor added*", "*factor change*",
            "*factor verify*", "*factor update*", "*factor activate*", "*factor configure*", "*factor setup*",
            /* method + action verbs */
            "*method enroll*", "*method register*", "*method added*", "*method change*",
            "*method verify*", "*method update*", "*method activate*", "*method configure*", "*method setup*",
            /* device + action verbs */
            "*device enroll*", "*device register*", "*device added*", "*device change*",
            "*device verify*", "*device update*", "*device activate*", "*device configure*", "*device setup*",
            /* security + action verbs */
            "*security enroll*", "*security register*", "*security added*", "*security change*",
            "*security verify*", "*security update*", "*security activate*", "*security configure*", "*security setup*",
            /* Additional security notifications */
            "*authenticator*", "*verification code*", "*security info*", "*security alert*"
        ) and not
        o365.audit.AffectedItems.Subject like~ ("*sign-in*", "*sign in*", "*log-in*", "*log in*", "*logon*")
    )

Framework: MITRE ATT&CK