This rule is designed to detect when an Office 365 email account executes an excessive number of hard deletions in a short time frame, specifically within one hour. Such behavior could indicate that the account is compromised and that the threat actor is trying to permanently delete a large volume of emails to remove traces of their activity. While certain legitimate user actions can result in similar alerts, they may not conform with organizational best practices regarding email management. The detection leverages the Office 365 Universal Audit Log to monitor hard deletions specifically from the 'Sent Items' and 'Recoverable Items/Deletions' folders. It employs a statistical threshold to flag accounts that delete more than 50 emails or exceed a total deletion size of 10 MB within the specified time frame. Users who regularly clean their recoverable items folder may falsely trigger this alert, and an appropriate understanding of behavior patterns is necessary to differentiate between legitimate actions and potential threats.