M365 Suspicious Compliance Search

M365 Suspicious Compliance Search

Detection overview

Triggers

  • The Exchange compliance search functionality was observed being used by an account that does not normally use this functionality.

Possible Root Causes

  • Attackers may use compliance searches to search across Exchange mailboxes for sensitive data to collect and exfiltrate.
  • Some internal users may use compliance searches to support legitimate business operations like legal and HR for litigation, audit, and compliance purposes.

Business Impact

  • Compliance search capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.

Steps to Verify

  1. Review the account in question to ensure they should be issuing compliance searches within the environment.
  2. Review the search being done to determine if the data being sought may be particularly interesting to attackers.
  3. Contact the user to ensure the searches are being done in compliance with company policy
M365 Suspicious Compliance Search

Possible root causes

Malicious Detection

Benign Detection

M365 Suspicious Compliance Search

Example scenarios

M365 Suspicious Compliance Search

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Suspicious Compliance Search

Steps to investigate

M365 Suspicious Compliance Search

MITRE ATT&CK techniques covered

M365 Suspicious Compliance Search

Related detections

No items found.

FAQs