<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Data_destruction - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/data_destruction/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/data_destruction/feed.xml" rel="self" type="application/rss+xml"/><item><title>O365 Email Account Compromise via Excessive Hard Deletes</title><link>https://feed.craftedsignal.io/briefs/2024-01-o365-email-hard-delete/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-o365-email-hard-delete/</guid><description>Compromised O365 accounts may perform excessive email hard deletes within an hour to remove evidence of malicious activity, potentially indicating account takeover.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk of compromised Office 365 (O365) email accounts performing a high volume of email hard deletes within a short timeframe (1 hour). This activity, detected via O365 management activity logs, suggests a threat actor is attempting to cover their tracks by permanently removing emails from the 'Sent Items' or 'Recoverable Items\Deletions' folders. This behavior is often associated with account takeover scenarios where attackers aim to eliminate evidence of phishing campaigns, data exfiltration, or other unauthorized activities. It is crucial for defenders to monitor and alert on such anomalies to identify and contain potentially compromised accounts quickly, mitigating further damage to the organization. While some legitimate user actions might trigger this alert, such activity may be misaligned with organizational best practices.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains unauthorized access to an O365 email account, likely through phishing, credential stuffing, or other means.</li>
<li><strong>Account Reconnaissance:</strong> The attacker explores the compromised mailbox to understand its contents and identify potentially sensitive information.</li>
<li><strong>Lateral Movement (Optional):</strong> The attacker uses the compromised account to send phishing emails or malicious attachments to other users within or outside the organization.</li>
<li><strong>Data Exfiltration (Optional):</strong> The attacker exfiltrates sensitive data from the compromised mailbox or uses the account to access other internal resources.</li>
<li><strong>Evidence Removal:</strong> The attacker initiates a large number of &quot;HardDelete&quot; operations on emails within the &quot;Sent Items&quot; and/or &quot;Recoverable Items\Deletions&quot; folders.</li>
<li><strong>Hard Delete Execution:</strong> The O365 service executes the &quot;HardDelete&quot; operations, permanently removing the specified emails from the mailbox.</li>
<li><strong>Cleanup:</strong> The attacker might modify other account settings or data to further obscure their presence.</li>
<li><strong>Persistence (Optional):</strong> The attacker establishes persistence mechanisms to maintain access to the account even if the password is changed.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful account compromise leading to excessive email hard deletes can have several significant impacts:</p>
<ul>
<li><strong>Loss of Evidence:</strong> Critical forensic evidence related to the attack is permanently deleted, hindering investigation and remediation efforts.</li>
<li><strong>Data Breach:</strong> Sensitive data within the deleted emails might be exposed or exfiltrated, leading to regulatory fines and reputational damage.</li>
<li><strong>Business Disruption:</strong> The compromised account can be used to send malicious emails, disrupt business operations, and damage relationships with clients and partners.</li>
<li><strong>Compliance Violations:</strong> Deletion of emails may violate compliance regulations regarding data retention and record keeping.</li>
</ul>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>O365 Excessive Email Hard Deletes</code> to your SIEM and tune the threshold (<code>count &gt; 50 OR file_size &gt; 10</code>) to match your organization's baseline email activity.</li>
<li>Investigate any alerts triggered by the <code>O365 Excessive Email Hard Deletes</code> Sigma rule to determine if the hard deletes are legitimate or indicative of a compromised account.</li>
<li>Implement multi-factor authentication (MFA) for all O365 accounts to reduce the risk of account compromise.</li>
<li>Review and enforce O365 audit logging policies to ensure that all relevant activity is being logged and retained.</li>
<li>Educate users about phishing and other social engineering techniques to prevent account compromise.</li>
<li>Implement the <code>O365 Email Hard Delete from Unusual Location</code> Sigma rule to detect hard deletes originating from unusual IP addresses.</li>
<li>Use drilldown searches to Investigate Email for suspicious users.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>o365</category><category>email</category><category>account_compromise</category><category>data_destruction</category></item></channel></rss>