This detection rule targets potentially malicious behavior in Microsoft Office 365 accounts involving the rapid receipt and deletion of emails that discuss sensitive topics such as password and banking changes. It identifies situations where a user receives emails related to password changes or payroll redirection, followed by the deletion of these emails within a short time frame, suggesting that the account may be compromised. By analyzing the Office 365 Universal Audit Log and the Reporting Message Trace, the analytics search queries for specific keywords in messages pertaining to banking and authentication, looking for patterns that indicate a threat actor's attempt to hijack payroll payments. The rule employs a series of sub-searches to match email actions with delete actions and ultimately narrows down the results to incidents indicating a high risk of account takeover and financial fraud.