Elastic Security Detection Rules

M365 Exchange MFA Notification Email Deleted or Moved

Last updated 2 days ago on 2026-02-25
Created 2 days ago on 2026-02-25

About

Identifies when an MFA enrollment, registration, or security notification email is deleted or moved to deleted items in Microsoft 365 Exchange. Adversaries who compromise accounts and register their own MFA device often delete the notification emails to cover their tracks and prevent the legitimate user from noticing the unauthorized change. This technique is commonly observed in business email compromise (BEC) and account takeover attacks.
Tags
Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Threat DetectionTactic: Defense EvasionLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Indicator Removal (T1070)(external, opens in a new tab or window)

False Positive Examples
Users legitimately deleting MFA notification emails after reviewing them.Automated mailbox rules that move security notifications to specific folders.Email retention policies that automatically delete old notification emails.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-o365.audit-*
Related Integrations

o365(external, opens in a new tab or window)

Query
text code block:
web where event.dataset == "o365.audit" and
    event.provider == "Exchange" and
    event.action in ("SoftDelete", "HardDelete", "MoveToDeletedItems") and
    event.outcome == "success" and
    (
        o365.audit.AffectedItems.Subject like~ (
            /* new + (mfa|multi-|factor|method|device|security) */
            "*new mfa*", "*new multi*", "*new factor*", "*new method*", "*new device*", "*new security*",
            /* 2fa and 2-step */
            "*2fa*", "*2-step*",
            /* mfa + action verbs */
            "*mfa enroll*", "*mfa register*", "*mfa added*", "*mfa change*",
            "*mfa verify*", "*mfa update*", "*mfa activate*", "*mfa configure*", "*mfa setup*",
            /* factor + action verbs */
            "*factor enroll*", "*factor register*", "*factor added*", "*factor change*",
            "*factor verify*", "*factor update*", "*factor activate*", "*factor configure*", "*factor setup*",
            /* method + action verbs */
            "*method enroll*", "*method register*", "*method added*", "*method change*",
            "*method verify*", "*method update*", "*method activate*", "*method configure*", "*method setup*",
            /* device + action verbs */
            "*device enroll*", "*device register*", "*device added*", "*device change*",
            "*device verify*", "*device update*", "*device activate*", "*device configure*", "*device setup*",
            /* security + action verbs */
            "*security enroll*", "*security register*", "*security added*", "*security change*",
            "*security verify*", "*security update*", "*security activate*", "*security configure*", "*security setup*",
            /* Additional security notifications */
            "*authenticator*", "*verification code*", "*security info*", "*security alert*"
        ) and not
        o365.audit.AffectedItems.Subject like~ ("*sign-in*", "*sign in*", "*log-in*", "*log in*", "*logon*")
    )

Install detection rules in Elastic Security

Detect M365 Exchange MFA Notification Email Deleted or Moved in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).