Skip to content
Threat Feed
high advisory

O365 Email Password and Payroll Compromise

Attackers compromise O365 accounts and delete emails related to password resets and payroll changes, potentially redirecting payroll to attacker-controlled accounts.

This threat brief focuses on the detection of compromised Office 365 accounts exhibiting behavior indicative of payroll redirection fraud. The attack involves an adversary gaining access to a target's email account and subsequently deleting email messages related to password resets, banking information, and direct deposit updates. The attacker's objective is likely to manipulate the victim's payroll settings to redirect funds to an account under their control. This activity requires timely detection, as the window of opportunity for such redirection is typically short. This brief uses detections developed and released in the splunk-escu project, specifically released around April 2026.

Attack Chain

  1. The attacker gains initial access to the target's Office 365 account via credential theft or phishing (not directly observed in source).
  2. The attacker searches the mailbox for keywords related to password resets, banking information, direct deposit, and payroll changes (e.g., "password", "banking", "direct deposit", "OTP", "MFA").
  3. The attacker identifies emails matching the keywords.
  4. The attacker deletes the identified emails. This is often done using "SoftDelete" or "HardDelete" operations.
  5. The attacker modifies the victim's payroll or banking information using data gleaned from the accessed emails or via impersonation.
  6. The attacker attempts to maintain access to the compromised account, potentially setting up forwarding rules or other persistence mechanisms (not directly observed in source).
  7. The attacker monitors for any alerts or notifications related to the changes they made, and attempts to delete or suppress them (not directly observed in source).
  8. The attacker successfully redirects payroll funds to their own account.

Impact

A successful attack of this nature results in financial loss for the victim. It can also cause reputational damage to the organization if employees' payroll information is compromised. The number of victims can vary greatly depending on the scope of the attack. This type of attack often targets employees in finance or HR departments, or those with access to sensitive payroll data.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect instances where users receive and delete emails related to both password resets and payroll changes. Tune the rule for your environment to minimize false positives.
  • Investigate any alerts generated by the Sigma rule by examining the user's mailbox activity and login history. Use the drilldown searches to view the detection results for the affected user.
  • Implement multi-factor authentication (MFA) for all Office 365 accounts to reduce the risk of credential theft.
  • Educate employees about the risks of phishing and social engineering attacks, and how to identify suspicious emails.
  • Monitor Office 365 audit logs for suspicious activity, such as unusual login locations, excessive email deletions, or changes to mailbox settings.
  • Review and enforce strong password policies to prevent attackers from easily guessing or cracking passwords.

Detection coverage 2

O365 Email Deletion After Password/Payroll Email Received

high

Detects when a user receives and deletes emails with password and payroll-related subjects within a short timeframe, indicating potential account compromise.

sigma tactics: defense_evasion, impact techniques: T1070.008, T1114.001 sources: office365, o365

O365 Suspicious Email Client Info String

medium

Detects suspicious client info strings used when deleting emails, which may be indicative of malicious activity.

sigma tactics: defense_evasion techniques: T1070.008 sources: office365, o365

Detection queries are available on the platform. Get full rules →