This rule identifies potential exfiltration behavior related to Office 365 email accounts, specifically when an email is sent to an external recipient and hard deleted within a 1-hour window. Such behavior raises red flags, as it may indicate that a threat actor has compromised the account and is trying to erase evidence of exfiltration activities to evade detection. The detection utilizes Office 365's Universal Audit Log and Reporting Message Trace to correlate email sending and deletion activities, looking for rapid sequences where emails are sent and then immediately deleted, particularly if the recipient is external to the organization. This rule incorporates a sophisticated search using various attributes such as timestamps, message IDs, and user email addresses to accurately flag possible threats, thus enabling timely responses to potential account compromises and data leaks.