Sent Items Deletion Detection
Query
//This query detects deletion of emails from Sent Items folder
//Helps identify potential attackers trying to cover their tracks after sending malicious emails
OfficeActivity
| where Operation in~ ("SoftDelete","MoveToDeletedItems","HardDelete")
| extend AffectedItemsPath = tostring(parse_json(Folder).Path)
| project-reorder UserId, ClientIP, UserType, MailboxOwnerUPN, Logon_Type, AffectedItemsPath
//| where UserId != MailboxOwnerUPN
| where AffectedItemsPath contains "Sent Items"Explanation
This query is designed to detect when emails are deleted from the "Sent Items" folder in an email system. It aims to identify potential attackers who might be trying to hide their tracks after sending harmful emails. Here's a breakdown of what the query does:
-
Data Source: It looks at the
OfficeActivitydata, which logs various actions taken in an email system. -
Filter Operations: It filters the data to only include actions where emails are deleted. These actions are specified as "SoftDelete," "MoveToDeletedItems," and "HardDelete."
-
Extract Path: It extracts the path of the affected items (emails) from the
Folderfield and stores it in a new field calledAffectedItemsPath. -
Select Fields: It selects and orders specific fields for the output:
UserId,ClientIP,UserType,MailboxOwnerUPN,Logon_Type, andAffectedItemsPath. -
Filter by Folder: Finally, it filters the results to only include actions where the
AffectedItemsPathcontains "Sent Items," indicating that the deleted emails were originally in the "Sent Items" folder.
This query helps in monitoring and investigating suspicious email deletions that could indicate malicious activity.
Details

Muzammil Mahmood
Released: November 10, 2024
Tables
Keywords
Operators