{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data_destruction/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365"],"_cs_severities":["high"],"_cs_tags":["o365","email","account_compromise","data_destruction"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the risk of compromised Office 365 (O365) email accounts performing a high volume of email hard deletes within a short timeframe (1 hour). This activity, detected via O365 management activity logs, suggests a threat actor is attempting to cover their tracks by permanently removing emails from the 'Sent Items' or 'Recoverable Items\\Deletions' folders. This behavior is often associated with account takeover scenarios where attackers aim to eliminate evidence of phishing campaigns, data exfiltration, or other unauthorized activities. It is crucial for defenders to monitor and alert on such anomalies to identify and contain potentially compromised accounts quickly, mitigating further damage to the organization. While some legitimate user actions might trigger this alert, such activity may be misaligned with organizational best practices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an O365 email account, likely through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Reconnaissance:\u003c/strong\u003e The attacker explores the compromised mailbox to understand its contents and identify potentially sensitive information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to send phishing emails or malicious attachments to other users within or outside the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Optional):\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised mailbox or uses the account to access other internal resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvidence Removal:\u003c/strong\u003e The attacker initiates a large number of \u0026quot;HardDelete\u0026quot; operations on emails within the \u0026quot;Sent Items\u0026quot; and/or \u0026quot;Recoverable Items\\Deletions\u0026quot; folders.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHard Delete Execution:\u003c/strong\u003e The O365 service executes the \u0026quot;HardDelete\u0026quot; operations, permanently removing the specified emails from the mailbox.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCleanup:\u003c/strong\u003e The attacker might modify other account settings or data to further obscure their presence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access to the account even if the password is changed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful account compromise leading to excessive email hard deletes can have several significant impacts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eLoss of Evidence:\u003c/strong\u003e Critical forensic evidence related to the attack is permanently deleted, hindering investigation and remediation efforts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Breach:\u003c/strong\u003e Sensitive data within the deleted emails might be exposed or exfiltrated, leading to regulatory fines and reputational damage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBusiness Disruption:\u003c/strong\u003e The compromised account can be used to send malicious emails, disrupt business operations, and damage relationships with clients and partners.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompliance Violations:\u003c/strong\u003e Deletion of emails may violate compliance regulations regarding data retention and record keeping.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eO365 Excessive Email Hard Deletes\u003c/code\u003e to your SIEM and tune the threshold (\u003ccode\u003ecount \u0026gt; 50 OR file_size \u0026gt; 10\u003c/code\u003e) to match your organization's baseline email activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u003ccode\u003eO365 Excessive Email Hard Deletes\u003c/code\u003e Sigma rule to determine if the hard deletes are legitimate or indicative of a compromised account.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all O365 accounts to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce O365 audit logging policies to ensure that all relevant activity is being logged and retained.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing and other social engineering techniques to prevent account compromise.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eO365 Email Hard Delete from Unusual Location\u003c/code\u003e Sigma rule to detect hard deletes originating from unusual IP addresses.\u003c/li\u003e\n\u003cli\u003eUse drilldown searches to Investigate Email for suspicious users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-email-hard-delete/","summary":"Compromised O365 accounts may perform excessive email hard deletes within an hour to remove evidence of malicious activity, potentially indicating account takeover.","title":"O365 Email Account Compromise via Excessive Hard Deletes","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-email-hard-delete/"}],"language":"en","title":"CraftedSignal Threat Feed - Data_destruction","version":"https://jsonfeed.org/version/1.1"}