This detection rule identifies potential account takeover incidents in Office 365. The rule specifically targets situations where an email recipient receives messages related to sensitive changes (such as passwords or banking details) and subsequently deletes those emails within a short timeframe. This behavior is indicative of a threat actor attempting to manipulate payroll or sensitive account information. The detection relies on two primary data sources: the Office 365 Universal Audit Log and the Office 365 Reporting Message Trace. The rule employs a search query that checks for specific keywords in email subjects, and cross-references these with audit logs for hard delete operations in relevant folders. The ability to aggregate and analyze timestamps assists in confirming the risky nature of the observed activity.