[New Rule] M365 MFA Notification Email Deleted or Moved #5778
Description
Summary
This PR introduces a detection rule for identifying when MFA enrollment or security notification emails are deleted or moved to trash in Microsoft 365 Exchange. This is a common defense evasion technique used by attackers after compromising an account and registering their own MFA device.
Background
After gaining access to a victim's account (often via device code phishing or credential theft), attackers frequently:
- Register their own MFA device/authenticator to maintain persistence
- Immediately delete the enrollment notification email to prevent the legitimate user from noticing
This technique is commonly observed in:
- Business Email Compromise (BEC) attacks
- ShinyHunters SaaS data theft operations
- APT29/Nobelium device code phishing campaigns
By deleting the notification email, attackers buy time before the compromise is detected, allowing them to exfiltrate data or conduct further malicious activities.
New Rule
M365 MFA Notification Email Deleted or Moved
File: rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml
Detects when emails containing MFA/security enrollment keywords are deleted from Exchange mailboxes:
Actions Monitored:
SoftDeleteHardDeleteMoveToDeletedItems
Subject Pattern Categories:
new + (mfa|multi-|factor|method|device|security)2fa,2-step(mfa|factor|method|device|security) + (enroll|register|added|change|verify|update|activate|configure|setup)authenticator,verification code,security info,security alert
Exclusions:
- Sign-in/logon notification emails (high noise, low signal)
Data Source
- Integration: Microsoft 365 (
o365.audit) - Index:
logs-o365.audit-* - Provider: Exchange
- Key Field:
o365.audit.AffectedItems.Subject
Validation
Rule was validated through manual emulation:
- Sent test email with subject "new mfa" to mailbox
- Deleted the email from inbox
- Confirmed detection fired on the
MovedToDeletedItemsevent matching the subject pattern
References