This rule aims to detect unauthorized actions within Microsoft 365 Exchange by identifying when Multi-Factor Authentication (MFA) enrollment notifications are deleted or moved to deleted items. Attackers who gain unauthorized access to user accounts may register their own MFA devices and delete the associated notification emails to conceal their activities. These actions typically occur during business email compromise (BEC) and account takeover scenarios. The rule utilizes Elastic Query Language (EQL) to monitor Microsoft 365 audit logs for specific deletion actions that correlate with MFA notifications. Investigating these detections involves identifying the impacted user, reviewing their Azure AD logs, and checking for abnormal access patterns or additional suspicious mailbox activities. It is crucial to establish a response protocol that includes removing unauthorized enrollments and enforcing security measures such as conditional access policies to limit MFA registrations based on trusted conditions. False positives can arise from legitimate user activity, such as regular deletions or automated mailbox rules. Hence, careful investigations and potential exceptions for trusted users may be necessary.