M365 Suspect eDiscovery Usage

Triggers

• Behaviors commonly associated with covering up a potentially malicious eDiscovery search have been observed.

Possible Root Causes

• An attacker has compromised the eDiscovery system, is using it to actively collect and exfiltrate data, and is hiding their tracks.
• A legitimate user has abused the eDiscovery system to gain information and has deleted the search quickly to go unnoticed.
• An improperly created eDiscovery Search has been flagged for removal based on deviation from enterprise policies on accepted eDiscovery usage.
• An authorized test of the eDiscovery system has been observed and clean up actions from that test have been flagged as suspicious.

Business Impact

• eDiscovery search capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.
• Abuse of eDiscovery search could result in sensitive data exfiltration as well as advancing an attack deeper into the organization.

Steps to Verify

1. Review the account in question to ensure they should be issuing compliance searches within the environment.
2. Review any remaining and undeleted artifacts associated the search being done to determine if the data being sought may be particularly interesting to attackers.
3. Contact the user to ensure the searches are being done in compliance with company policy.