Preventions
- ID: PV068
- Created: 19th August 2025
- Updated: 19th August 2025
- Contributor: The ITM Team
Microsoft Litigation Hold
Microsoft Litigation Hold is a built-in compliance feature within Microsoft 365 that preserves mailbox content, even if a subject attempts to delete or alter messages. When enabled, it ensures that emails, calendar items, and other mailbox content remain discoverable and immutable, regardless of user-side deletion or modification attempts.
Organizations can apply Litigation Hold to specific subjects, role types, or high-risk populations, and define custom hold durations (e.g., indefinite or time-bound).
Sections
| ID | Name | Description |
|---|---|---|
| AF027.001 | Email Deletion | The subject deliberately deletes emails - either sent, received, or both - with the intent to obstruct investigative visibility, remove evidence of policy violations, or eliminate traces of communication relevant to an insider event. While routine inbox maintenance is common, patterns of targeted deletion may indicate purposeful concealment. |
| IF027.005 | Destructive Malware Deployment | The subject deploys destructive malware; software designed to irreversibly damage systems, erase data, or disrupt operational availability. Unlike ransomware, which encrypts files to extort payment, destructive malware is deployed with the explicit intent to delete, corrupt, or disable systems and assets without recovery. Its objective is disruption or sabotage, not necessarily for direct financial gain.
This behavior may include:
Insiders may deploy destructive malware as an act of retaliation (e.g. prior to departure), sabotage (e.g. to disrupt an investigation or competitor), or under coercion. Detonation may be manual or scheduled, and in some cases the malware is disguised as routine tooling to delay detection.
Destructive deployment is high-severity and often coincides with forensic tampering or precursor access based infringements (e.g. file enumeration or backup deletion). |