Listing Email Remediation Actions via Explorer

Hunt Hypothesis

Adversaries may use Explorer to list email remediation actions as part of exfiltration or data manipulation tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential unauthorized access and data compromise attempts.

KQL Query

EmailEvents
| where Timestamp > ago(30d)
| where LatestDeliveryAction in ("Hard delete", "Soft delete", "Moved to junk folder", "Moved to deleted items")
| summarize HardDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Hard delete"),  
            SoftDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Soft delete"),
            MoveToJunk_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to junk folder"),
            MoveToDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to deleted items") by RecipientEmailAddress
| extend HardDelete_case = array_length(HardDelete_NetworkID)
| extend SoftDelete_case = array_length(SoftDelete_NetworkID)
| extend MoveToJunk_case = array_length(MoveToJunk_NetworkID)
| extend MoveToDelete_case = array_length(MoveToDelete_NetworkID)
| extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case
| project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID
| order by Sum_case desc

Analytic Rule Definition

id: 99713387-9d61-49eb-8edc-f51153d8bb01
name: Listing Email Remediation Actions via Explorer
description: |
  Listing Email Remediation Actions performed via Explorer in Defender for Office 365
description-detailed: |
  Listing Email Remediation Actions performed via Explorer in Defender for Office 365
  - Track each cases with Network Message ID
  - Sort the users who got a number of actions 
  - e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items 
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where Timestamp > ago(30d)
  | where LatestDeliveryAction in ("Hard delete", "Soft delete", "Moved to junk folder", "Moved to deleted items")
  | summarize HardDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Hard delete"),  
              SoftDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Soft delete"),
              MoveToJunk_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to junk folder"),
              MoveToDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to deleted items") by RecipientEmailAddress
  | extend HardDelete_case = array_length(HardDelete_NetworkID)
  | extend SoftDelete_case = array_length(SoftDelete_NetworkID)
  | extend MoveToJunk_case = array_length(MoveToJunk_NetworkID)
  | extend MoveToDelete_case = array_length(MoveToDelete_NetworkID)
  | extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case
  | project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID
  | order by Sum_case desc
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Remediation/Email remediation action list.yaml)

False Positive Guidance

Scenario: An administrator is performing a scheduled email cleanup job using Microsoft 365 Compliance Center to remove outdated emails from a user’s mailbox.
Filter/Exclusion: Exclude actions originating from the Compliance Center or Microsoft 365 Admin Center.
Scenario: A user is using Microsoft Outlook (via the web or desktop) to manually move or delete emails as part of their daily email management.
Filter/Exclusion: Exclude actions where the source application is Outlook or Exchange Online.
Scenario: A Microsoft Teams user is archiving emails during a meeting or collaboration session, which is logged as a remediation action.
Filter/Exclusion: Exclude actions associated with Microsoft Teams or Teams collaboration activities.
Scenario: An Exchange Online PowerShell script is run to purge emails from a mailbox as part of a compliance or retention policy.
Filter/Exclusion: Exclude actions where the source is PowerShell or Exchange Online PowerShell.
Scenario: A Microsoft Defender for Office 365 admin is reviewing and approving a remediation action in the Threat Explorer or Incident Dashboard.
Filter/Exclusion: Exclude actions where the user role is Admin or Threat Explorer related.