Anomalous Delete Sequence: Ransomware Preparation & Data Destruction Risk

Why this risk matters

Ransomware and destructive attacks frequently begin with large-scale deletion of files before encryption or exfiltration. The deletion sequence follows a recognisable pattern: files are moved to the recycle bin, then permanently deleted in rapid succession, affecting large numbers of files across OneDrive and SharePoint in a short window.

Overe detects anomalous delete sequences by monitoring file deletion events across the tenant. When the volume and speed of deletions exceed normal behaviour for a user, it triggers an alert. This is distinct from a user manually emptying their recycle bin — the pattern Overe flags involves rapid, high-volume permanent deletion that is inconsistent with normal document management.

Early detection is critical because ransomware attacks often delete or overwrite backup copies of files before the primary encryption payload completes. A fast response can significantly limit the scope of damage.

What happens if this is abused

  • Ransomware begins permanently deleting files from a compromised user account before or alongside the encryption payload, degrading recovery options
  • Attacker deletes evidence of their activity — sent emails, accessed files, downloaded documents — before detection to reduce the forensic trail
  • Insider threat uses mass deletion to destroy business records, client communications, or source code before departing or after a dispute
  • Files deleted across multiple SharePoint sites and OneDrive simultaneously, affecting collaborative documents across teams and reducing the scope of what is recoverable from version history
  • Version history overwritten or deleted alongside files using PowerShell or Graph API access, reducing or eliminating recovery options even from the recycle bin
  • Deletion of a large number of files that are also shared externally, permanently removing evidence of what was exfiltrated before the bulk share
  • Admin account used to delete entire SharePoint sites or document libraries rather than individual files, affecting entire teams with a single action

When this is expected or acceptable

Some legitimate scenarios involve bulk file deletion — a project archive being cleaned up, a departing employee removing personal files, or an IT admin decommissioning a document library. These are typically slower, more methodical operations conducted during business hours by expected users.

The key distinction is speed and volume. A deliberate cleanup of 50 old files over an hour is different from 500 files being permanently deleted in two minutes. Overe flags the latter pattern.

Checks to perform before taking action

Before responding to an anomalous delete alert:

  • Identify the user account triggering the alert and confirm whether the deletion pattern is consistent with their normal activity
  • Check what files were deleted and whether they belonged to the user or to shared resources
  • Review whether the deletions coincide with sign-in anomalies, unusual IP addresses, or other Overe alerts for the same account
  • Check whether the user's account shows signs of compromise — forwarding rules, MFA changes, or OAuth consents
  • Confirm with the user or their manager whether a bulk deletion was intentionally performed
  • Check SharePoint version history and recycle bin to determine whether files are recoverable

Safe remediation steps

  1. Use Overe to review the deletion event timeline and scope before taking action
  2. If the deletion pattern is confirmed as suspicious, revoke the user's session immediately to stop further damage
  3. Investigate the account for other indicators of compromise — sign-in activity, mailbox rules, and OAuth consents
  4. Check SharePoint and OneDrive recycle bins and version history for recovery opportunities
  5. If compromise is confirmed, enforce MFA, rotate credentials, and conduct a full account review
  6. After recovery, review how the account was compromised to prevent recurrence
  7. Overe can automatically revoke sessions when an Anomalous Delete Sequence alert fires — configure auto-response thresholds in Org Config > Auto-Response

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Windows Device Security Audit and Event Logging — Captures detailed Windows security events to support threat detection, investigation, and compliance.
  • Windows Defender Antivirus Configuration — Keeps Windows devices continuously protected against malware, ransomware, and network-based threats with automatic threat removal.
  • MacOS Defender Antivirus Configuration — Keeps Mac devices continuously protected against malware with enforced real-time scanning and tamper-proof settings.

Related risks and follow-on checks

After investigating an anomalous delete sequence alert, review these related risk areas:

  • Open Defender Incidents — ransomware and destructive attacks that trigger deletion patterns also generate correlated Defender incidents; check for active incidents involving the same user or device
  • Suspicious Inbox Rules — malicious actors performing mass deletion often simultaneously modify mailbox rules to suppress outgoing security notifications and prevent alerts reaching the user
  • PST Export & eDiscovery Abuse — exfiltration followed by deletion is a recognised insider threat pattern; check whether export or search activity occurred from the same account before the deletion event
  • Files Shared Externally — check whether the deleted files were also shared externally shortly before deletion, suggesting staged exfiltration rather than pure destruction
  • Session Hijack via Unusual IP Change — if the deletion was performed from an unfamiliar IP or location, it may indicate the account was compromised and the deletion was attacker-driven rather than user-initiated
  • Users with Risky MFA Settings — accounts with weak MFA that perform mass deletion represent a higher-risk scenario if the activity was triggered by an attacker who bypassed authentication
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.