EOL Hunting: Unusual User Behavior

Detecting Unusual User Behavior

Unusual user behavior, such as mass message deletions or changes to mailbox settings, can be an indicator of either insider threats or compromised accounts.

Indicators of Unusual User Behavior:

Mass Deletions: Large volumes of message deletions or emptying of the trash can be a sign that a user is trying to cover their tracks.
Changes to Mailbox Permissions: Unauthorized changes to mailbox permissions, such as granting access to external users or setting up delegation.
Unusual Sending Patterns: Abnormally high volume of sent emails, especially with suspicious content or attachments.

Using Mailbox Audit Logs to Detect Mass Deletions:

Review audit logs for mass deletions or suspicious activity.

Detecting Changes in Mailbox Permissions:
- Investigate any changes to mailbox permissions, especially if permissions are being granted to users outside the organization.
Tracking Abnormal Sending Patterns:
- Monitor sent items and outbound email flow for suspicious activity, such as bulk emails containing sensitive information or malware.
Threat Hunting Insight:
- Insider Threat Detection: Investigating changes to mailbox settings or large-scale deletions can uncover insider threats or malicious behavior by compromised accounts.

PreviousEOL Hunting: Malware Detection and Analysis NextEOL Hunting: Business Email Compromise (BEC)

Last updated 1 month ago