M365 Suspicious Compliance Search

View all detections

Triggers

The Exchange compliance search functionality was observed being used by an account that does not normally use this functionality.

Possible Root Causes

Attackers may use compliance searches to search across Exchange mailboxes for sensitive data to collect and exfiltrate.
Some internal users may use compliance searches to support legitimate business operations like legal and HR for litigation, audit, and compliance purposes.

Business Impact

Compliance search capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.

Steps to Verify

Review the account in question to ensure they should be issuing compliance searches within the environment.
Review the search being done to determine if the data being sought may be particularly interesting to attackers.
Contact the user to ensure the searches are being done in compliance with company policy

Related MITRE ATT&CK Techniques

Data from Information Repositories

T1213

See our Detections in Action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour

Ask for a custom demo