Anomalous Delete Sequence: Ransomware Preparation & Data Destruction Risk

Ransomware and destructive attacks frequently begin with large-scale deletion of files before encryption or exfiltration. The deletion sequence follows a recognisable pattern: files are moved to the recycle bin, then permanently deleted in rapid succession, affecting large numbers of files across OneDrive and SharePoint in a short window.

Overe detects anomalous delete sequences by monitoring file deletion events across the tenant. When the volume and speed of deletions exceed normal behaviour for a user, it triggers an alert. This is distinct from a user manually emptying their recycle bin — the pattern Overe flags involves rapid, high-volume permanent deletion that is inconsistent with normal document management.

Early detection is critical because ransomware attacks often delete or overwrite backup copies of files before the primary encryption payload completes. A fast response can significantly limit the scope of damage.

• Ransomware begins permanently deleting files from a compromised user account before or alongside the encryption payload
• Attacker deletes evidence of their activity — logs, emails, shared files — before detection
• Insider threat uses mass deletion to destroy business records or client data before departing
• Files deleted across multiple SharePoint sites and OneDrive simultaneously, affecting collaborative documents across teams
• Version history overwritten or deleted alongside files, reducing recovery options

Some legitimate scenarios involve bulk file deletion — a project archive being cleaned up, a departing employee removing personal files, or an IT admin decommissioning a document library. These are typically slower, more methodical operations conducted during business hours by expected users.

The key distinction is speed and volume. A deliberate cleanup of 50 old files over an hour is different from 500 files being permanently deleted in two minutes. Overe flags the latter pattern.

Before responding to an anomalous delete alert:

• Identify the user account triggering the alert and confirm whether the deletion pattern is consistent with their normal activity
• Check what files were deleted and whether they belonged to the user or to shared resources
• Review whether the deletions coincide with sign-in anomalies, unusual IP addresses, or other Overe alerts for the same account
• Check whether the user's account shows signs of compromise — forwarding rules, MFA changes, or OAuth consents
• Confirm with the user or their manager whether a bulk deletion was intentionally performed
• Check SharePoint version history and recycle bin to determine whether files are recoverable

1. Use Overe to review the deletion event timeline and scope before taking action
2. If the deletion pattern is confirmed as suspicious, revoke the user's session immediately to stop further damage
3. Investigate the account for other indicators of compromise — sign-in activity, mailbox rules, and OAuth consents
4. Check SharePoint and OneDrive recycle bins and version history for recovery opportunities
5. If compromise is confirmed, enforce MFA, rotate credentials, and conduct a full account review
6. After recovery, review how the account was compromised to prevent recurrence
7. Overe can automatically revoke sessions when an Anomalous Delete Sequence alert fires — configure auto-response thresholds in Org Config > Auto-Response

Microsoft: Restore items in the SharePoint recycle bin - https://support.microsoft.com/en-us/office/restore-items-in-the-recycle-bin-that-were-deleted-from-sharepoint-or-teams-6df466b6-55f2-4898-8d6e-c0dff851a0be

Microsoft: Ransomware detection and recovery in OneDrive - https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f

Microsoft: Restore a SharePoint site - https://learn.microsoft.com/en-us/sharepoint/restore-deleted-site

• Open Defender incidents
• Suspicious inbox rules
• PST export and eDiscovery abuse
• Users with risky MFA settings