AN0338: Analytic 0338
O365 UnifiedAuditLog entries for Remove-Mailbox or Set-Mailbox with account disable or delete actions correlated with suspicious login locations or MFA bypass.
Analyst context for executives and security teams
This analytic is about spotting high-risk Microsoft 365 mailbox administration activity: Remove-Mailbox or Set-Mailbox events that disable or delete accounts, especially when paired with suspicious login locations or signs of MFA bypass. For leaders, the value is in validating whether the organization can detect identity-driven mailbox disruption before it becomes an incident response, legal hold, continuity, or executive communications problem.
Executive priority
Prioritize this as an identity and cloud email control validation item. Mailbox removal or account-disable activity can affect business continuity, investigations, retention expectations, and executive operations. Security leaders should ask whether mailbox administration actions are logged, reviewed, correlated with risky sign-in context, and escalated quickly enough for incident decision-making and compliance evidence.
Technical view
SOC and detection teams should validate collection and correlation of Office Suite/O365 UnifiedAuditLog events for Remove-Mailbox and Set-Mailbox where actions indicate account disablement or deletion. The analytic depends on joining those administrative events with suspicious login-location signals or MFA-bypass indicators. Because no official detection logic is provided, teams need to define local thresholds, privileged-account scope, expected administrator workflows, and escalation criteria.
Likely telemetry
- O365 UnifiedAuditLog entries for Remove-Mailbox
- O365 UnifiedAuditLog entries for Set-Mailbox
- Mailbox or account disable/delete action details
- Administrator or actor identity associated with mailbox changes
- Target mailbox or account identity
Detection direction
- Confirm that UnifiedAuditLog ingestion is enabled, complete, and retained long enough to support investigation.
- Correlate mailbox removal or disabling activity with suspicious login locations or MFA-bypass context rather than alerting only on the command name.
- Prioritize events involving privileged administrators, executive mailboxes, shared mailboxes, or accounts tied to legal, finance, or operations workflows, where locally relevant.
- Tune for legitimate administrative lifecycle events such as planned offboarding, but require change-ticket or approval context for suppression.
- Test whether the SOC can reconstruct actor, target mailbox, timestamp, action, source location, and MFA context from available logs.
Mitigation priorities
- Ensure Microsoft 365 mailbox and administrator audit logging is enabled and monitored.
- Limit mailbox administration privileges to approved roles and review those assignments regularly.
- Require strong identity controls for administrative accounts, including MFA and conditional-access style checks where available in the environment.
- Establish change-management expectations for mailbox deletion, disabling, and account lifecycle actions.
- Define incident response playbooks for suspicious mailbox administration, including containment of the actor account and preservation of relevant audit evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and provides a short description but no formal detection query, tactic mapping, or relationship context. The main decision value is to verify whether cloud email administration events can be correlated with identity-risk context and investigated quickly.
No official detection text, relationships, adversary context, or ATT&CK tactics were supplied. This take is limited to the stated Office Suite platform and the described O365 UnifiedAuditLog events. Local Microsoft 365 licensing, audit configuration, retention, and identity telemetry determine practical coverage.
Analytic 0338
O365 UnifiedAuditLog entries for Remove-Mailbox or Set-Mailbox with account disable or delete actions correlated with suspicious login locations or MFA bypass.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4783600e8ffa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0338Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.