Microsoft Purview eDiscovery Hold allows investigators to preserve Microsoft 365 evidence associated with a subject, recipient, group, or investigation scope. A hold can preserve Exchange mailbox content, Teams messages, SharePoint files, OneDrive content, Microsoft 365 Group data, and related collaboration artifacts before they are deleted, edited, expired, or otherwise lost.

This detection is particularly relevant where the subject may attempt anti-forensic activity such as message deletion, message modification, or removal of shared files. When applied early and scoped correctly, an eDiscovery hold can preserve deleted messages, prior versions of edited Teams messages, mailbox artifacts, shared files, and related metadata for later search, review, and export.

For Teams investigations, investigators should ensure the hold includes the relevant participant mailboxes, Team mailbox, associated SharePoint site, and OneDrive accounts used to share files. The hold should be documented in the investigative timeline, including when it was requested, when it became active, which locations were included, and any known preservation gaps.

An eDiscovery hold preserves evidence but does not restrict the subject’s access or prevent continued activity. It should therefore be treated as an evidence preservation mechanism, not a containment control.

Sections

ID	Name	Description
AF033	Message Modification	The subject edits previously sent digital communication records in order to alter, obscure, or remove evidence of prior activity, coordination, intent, or disclosure. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications. Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, relationships between individuals, and the sequence of actions leading to an infringement. Modifying a message after it has been sent can preserve the appearance of a normal communication thread while changing the evidentiary content available to investigators. Message modification may occur before, during, or after an infringement. In some cases, subjects edit messages shortly after sending them to remove threatening, coercive, inappropriate, or policy-violating language. In other cases, a subject may transmit sensitive information, credentials, instructions, or confidential data as message text, then modify the message to benign content after it has been read or copied by the intended recipient. This behavior is especially significant where the communication platform does not retain prior message versions, where edit history is excluded from standard exports, or where preservation controls were not in place at the time of the edit. Even where the original message content cannot be recovered, the act of editing a message may itself become a significant investigative indicator, particularly when correlated with alert timing, recipient activity, data access, or other case events.
AF030	Message Deletion	The subject deletes digital communication records in order to remove evidence of prior activity, coordination, or intent. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications. Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, and relationships between individuals. Deleting these records can reduce the available evidentiary timeline and hinder reconstruction of events. Message deletion may occur before, during, or after an infringement. In some cases, subjects remove messages immediately after sending them to eliminate records of inappropriate requests or instructions. In other cases, deletion occurs after an alert, disciplinary action, or investigation has begun. Because communication platforms often retain administrative logs of message deletion events, the act of deleting messages may itself become a significant investigative indicator.
AF030.001	Deletion of Corporate Communication Messages	The subject deletes messages from organization-managed communication platforms such as enterprise collaboration tools, internal messaging systems, or other corporate communication environments. These platforms commonly contain operational discussions, requests for information, coordination between staff, or exchanges relating to sensitive work activities. Deleting messages from these systems may remove evidence of policy violations, improper instructions, or coordination with other individuals. In many enterprise platforms, message deletion events generate administrative audit artifacts. While the message content may no longer be visible to users, deletion activity can often still be identified through platform audit logs, retention systems, or administrative investigation tools.

References

https://learn.microsoft.com/en-us/purview/edisc-hold-create