ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AF027.001
  • Created: 11th August 2025
  • Updated: 19th August 2025
  • Contributor: The ITM Team

Email Deletion

The subject deliberately deletes emails - either sent, received, or both - with the intent to obstruct investigative visibility, remove evidence of policy violations, or eliminate traces of communication relevant to an insider event. While routine inbox maintenance is common, patterns of targeted deletion may indicate purposeful concealment.

Prevention

ID Name Description
PV068Microsoft Litigation Hold

Microsoft Litigation Hold is a built-in compliance feature within Microsoft 365 that preserves mailbox content, even if a subject attempts to delete or alter messages. When enabled, it ensures that emails, calendar items, and other mailbox content remain discoverable and immutable, regardless of user-side deletion or modification attempts.

 

Organizations can apply Litigation Hold to specific subjects, role types, or high-risk populations, and define custom hold durations (e.g., indefinite or time-bound).

Detection

ID Name Description
DT041Email Gateway

Email gateway solutions offer the ability to trace inbound and outbound emails to an organization. This can be used to retrieve information such as emails sent or received, the subject line, content, attachments, timestamps, and recipients.

DT063Microsoft Entra ID Sign-in Logs

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.