Skip to content
Threat Feed
medium advisory

Office 365 MFA Notification Email Deletion for Defense Evasion

Attackers may delete multi-factor authentication (MFA) notification emails in Office 365 to evade detection and maintain unauthorized access after compromising an account.

Attackers who have successfully compromised an Office 365 account may attempt to disable or delete MFA notification emails to prevent the legitimate user from discovering the intrusion. This allows the attacker to maintain persistent access without raising suspicion. While the provided source offers limited details, understanding how adversaries might manipulate email settings and audit logs within O365 is crucial for defenders. This activity is especially concerning when combined with other suspicious behaviors like unusual login locations, access to sensitive data, or modifications to user profiles. Defenders should prioritize monitoring O365 audit logs for email deletion events, especially those performed by accounts with recent suspicious login activity.

Attack Chain

  1. Initial Access: The attacker gains initial access to an Office 365 account, likely through phishing, credential stuffing, or password spraying.
  2. Privilege Escalation (if needed): The attacker may attempt to escalate privileges within the O365 environment to gain broader access to mailboxes and settings.
  3. Access Mailbox: The attacker accesses the compromised user's mailbox.
  4. Identify MFA Notifications: The attacker searches for emails related to multi-factor authentication or account security alerts.
  5. Email Deletion: The attacker deletes the MFA notification emails, either directly through the Outlook interface or via PowerShell commands.
  6. Bypass Auditing Defenses: The attacker may attempt to disable or tamper with audit logging to cover their tracks (though this is more complex).
  7. Maintain Persistence: The attacker uses the compromised account to access sensitive data, send malicious emails, or perform other unauthorized actions.
  8. Defense Evasion: By deleting the MFA notification emails, the attacker effectively evades detection, prolonging their access to the compromised account.

Impact

Successful deletion of MFA notification emails can have significant consequences. It allows attackers to maintain persistent access to compromised accounts, enabling them to exfiltrate sensitive data, conduct business email compromise (BEC) attacks, or deploy malware within the organization. The number of victims depends on the scope of the initial compromise and the attacker's ability to move laterally within the O365 environment. The financial and reputational damage can be substantial.

Recommendation

  • Deploy the Sigma rule for detecting MFA notification email deletion in your SIEM and tune for your environment (see "MFA Notification Email Deleted" rule).
  • Monitor Office 365 audit logs for suspicious email deletion activity, focusing on accounts with unusual login patterns (reference log source in Sigma rules).
  • Implement and enforce strong multi-factor authentication policies across the organization to reduce the risk of initial account compromise.
  • Investigate any alerts generated by the Sigma rule, prioritizing accounts with elevated privileges or access to sensitive data.

Detection coverage 2

MFA Notification Email Deleted

medium

Detects the deletion of emails related to MFA notifications in Office 365, which could indicate an attacker attempting to evade detection.

sigma tactics: defense_evasion techniques: T1562.001 sources: email_deletion, o365

Suspicious O365 Email Deletion by Non-Owner

medium

Detects unusual email deletion activities performed by users who are not the mailbox owner, which may indicate unauthorized access and defense evasion.

sigma tactics: defense_evasion techniques: T1562.001 sources: email_deletion, o365

Detection queries are available on the platform. Get full rules →