Query Details
RULE 26 M365 Teams Mass Message Deletion
Query
// Rule : M365 - Teams Mass Channel Message Deletion (Evidence Removal)
// Severity: High
// Tactics : DefenseEvasion, Impact
// MITRE : T1070 (Indicator Removal), T1485 (Data Destruction)
// Freq : PT30M Period: PT30M
// Description: Detects bulk deletion of individual Teams channel MESSAGES by a single
// user or bot. Note: RULE-15 covers channel/team deletion at the container
// level. This rule targets message-level deletion — specifically relevant to
// attackers or malicious insiders removing conversation evidence
// (phishing coordination, data-sharing messages) before investigation.
// Triggered by 30+ message deletions in 30 minutes, or any use of
// bulk-delete APIs (MessageDeletedAll).
//==========================================================================================
let LookbackPeriod = 30m;
let MsgDeleteThreshold = 30;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "MicrosoftTeams"
| where Operation in (
"MessageDeleted",
"MessageDeletedAll", // bulk / admin-level API
"ChatMessageDeleted",
"MessageDeletedForAll",
"MessageHardDeletedAll")
| summarize
DeletedCount = count(),
BulkDeletes = countif(Operation in ("MessageDeletedAll", "MessageHardDeletedAll")),
Operations = make_set(Operation, 5),
TeamsAffected = make_set(TeamName, 10),
ChannelsAffected = make_set(ChannelName, 10),
ClientIPs = make_set(ClientIP, 5),
FirstDelete = min(TimeGenerated),
LastDelete = max(TimeGenerated)
by UserId, UserType
| where DeletedCount >= MsgDeleteThreshold
or BulkDeletes >= 1
| extend
DurationMinutes = datetime_diff("minute", LastDelete, FirstDelete),
IsAdminBulkDelete = BulkDeletes >= 1
| extend AlertSeverity = case(
IsAdminBulkDelete, "Critical", // bulk API = intentional sweep
DeletedCount >= 200, "High",
DeletedCount >= 50, "Medium",
"Low")
| project
TimeGenerated = LastDelete,
UserId,
UserType,
DeletedCount,
BulkDeletes,
IsAdminBulkDelete,
Operations,
TeamsAffected,
ChannelsAffected,
DurationMinutes,
ClientIPs,
AlertSeverity
Explanation
This query is designed to detect suspicious activity related to the deletion of messages in Microsoft Teams channels. Here's a simplified breakdown:
-
Purpose: The query aims to identify cases where a single user or bot deletes a large number of messages in Teams channels within a short period, which could indicate an attempt to remove evidence of malicious activity.
-
Time Frame: It looks at activities that occurred in the last 30 minutes.
-
Criteria for Detection:
- It checks for operations related to message deletions, including both individual and bulk deletions.
- It triggers an alert if a user deletes 30 or more messages within 30 minutes or if any bulk deletion APIs are used.
-
Data Collection:
- It counts the number of deleted messages and identifies if any bulk deletion operations were performed.
- It gathers information on the operations performed, affected Teams and channels, client IPs, and the time range of deletions.
-
Alerting:
- The severity of the alert is determined based on the number of deletions and whether bulk deletion APIs were used.
- Alerts are categorized as "Critical" for bulk deletions, "High" for 200 or more deletions, "Medium" for 50 or more deletions, and "Low" for fewer deletions.
-
Output:
- The query outputs details such as the time of the last deletion, user ID, user type, number of deletions, whether bulk deletion was used, operations performed, affected Teams and channels, duration of deletions, client IPs, and the alert severity.
This query helps in identifying potential security threats by flagging unusual deletion patterns that could indicate attempts to hide malicious activities.
Details
David Alonso
Released: March 18, 2026
Tables
OfficeActivity
Keywords
OfficeActivityMicrosoftTeamsMessageDeletedMessageDeletedAllChatMessageDeletedMessageDeletedForAllMessageHardDeletedAllUserIdUserTypeTeamNameChannelNameClientIPTimeGenerated
Operators
letagoinsummarizecountcountifmake_setminmaxbyextenddatetime_diffcaseproject