M365 Suspect eDiscovery Usage
Detection overview
Triggers
- Behaviors commonly associated with covering up a potentially malicious eDiscovery search have been observed.
Possible Root Causes
- An attacker has compromised the eDiscovery system, is using it to actively collect and exfiltrate data, and is hiding their tracks.
- A legitimate user has abused the eDiscovery system to gain information and has deleted the search quickly to go unnoticed.
- An improperly created eDiscovery Search has been flagged for removal based on deviation from enterprise policies on accepted eDiscovery usage.
- An authorized test of the eDiscovery system has been observed and clean up actions from that test have been flagged as suspicious.
Business Impact
- eDiscovery search capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.
- Abuse of eDiscovery search could result in sensitive data exfiltration as well as advancing an attack deeper into the organization.
Steps to Verify
- Review the account in question to ensure they should be issuing compliance searches within the environment.
- Review any remaining and undeleted artifacts associated the search being done to determine if the data being sought may be particularly interesting to attackers.
- Contact the user to ensure the searches are being done in compliance with company policy.
M365 Suspect eDiscovery Usage
Possible root causes
Malicious Detection
Benign Detection
M365 Suspect eDiscovery Usage
Example scenarios
M365 Suspect eDiscovery Usage
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Suspect eDiscovery Usage
Steps to investigate
M365 Suspect eDiscovery Usage
MITRE ATT&CK techniques covered
M365 Suspect eDiscovery Usage
Related detections
No items found.