Email rules/filters in place are something that ITDR is monitoring and alerting for. We have received a few false positive (investigated and corrected) notifications regarding rules for deletion or marked as read.

What would be really helpful is if Huntress was able to leverage things to alert on mass email deletion. This is somewhat of a DLP specific thing rather than identity protection, but I would imagine mass deleting 100-1000+ emails from an inbox would certainly be out of the norm for most entities.