M365 Suspicious Compliance Search

View all detections
M365 Suspicious Compliance Search


  • The Exchange compliance search functionality was observed being used by an account that does not normally use this functionality.

Possible Root Causes

  • Attackers may use compliance searches to search across Exchange mailboxes for sensitive data to collect and exfiltrate.
  • Some internal users may use compliance searches to support legitimate business operations like legal and HR for litigation, audit, and compliance purposes.

Business Impact

  • Compliance search capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.

Steps to Verify

  1. Review the account in question to ensure they should be issuing compliance searches within the environment.
  2. Review the search being done to determine if the data being sought may be particularly interesting to attackers.
  3. Contact the user to ensure the searches are being done in compliance with company policy