Once a Microsoft 365 mailbox compromise is contained, the investigation answers the questions that actually drive decisions: How did the attacker get in? How long were they there? What did they access? Did they establish persistence? This walkthrough covers the evidence sources and the method.
The three primary evidence sources
1. Microsoft Entra ID sign-in logs
Start here to identify the initial access. Look for the AiTM signature — a successful, MFA-satisfied sign-in from an anomalous IP/ASN/geography — plus impossible-travel events and unfamiliar client apps. Note the session and correlation IDs; you'll pivot on them.
2. The Unified Audit Log (UAL)
The UAL is the backbone of the investigation, capturing operations across the tenant for up to 180 days (longer with the right licensing). Filter for high-signal operations: New-InboxRule, Set-InboxRule, UpdateInboxRules, Set-Mailbox (forwarding), Add-MailboxPermission, Consent to application, and Add service principal credentials.
3. MailItemsAccessed (mailbox audit)
This is how you scope exfiltration. MailItemsAccessed records which mail items a session touched. Correlate it with the attacker's session IDs from the sign-in logs to produce an itemized view — folders, message counts, timestamps — of what was actually read or synced. This is what determines whether sensitive data was exposed.
Building the timeline
The investigative output is a single correlated timeline in UTC that tells the story end to end:
- Initial access — the first malicious sign-in and how MFA was satisfied.
- Persistence — inbox rules, forwarding, OAuth consents, added permissions.
- Reconnaissance — searches and mail access patterns (looking for invoices, payments, vendors).
- Action on objective — fraudulent mail sent, payment-redirect attempts, data export.
- Dwell time — first to last attacker activity.
Indicators to capture for your report
Document attacker IPs/ASNs, the malicious rule definitions, OAuth app IDs, recipient addresses of forwarded/fraudulent mail, and the list of accessed items. These indicators support insurance claims, IC3 reporting, and notification decisions.
The bottleneck — and how to remove it
Doing this by hand means exporting large CSVs, writing PowerShell or KQL, and manually stitching events across three logs. It is precise but slow, and easy to get wrong under pressure. BreachLens automates the correlation: upload your Microsoft 365 audit export and it reconstructs the sign-in-to-exfiltration timeline, flags persistence mechanisms, and produces a shareable forensic report — turning a multi-day effort into minutes, with the raw evidence still preserved for your records.