We help IT Professionals succeed at work.

possible email malware evidence

where specifically would there be clues in a Office365 mailbox or logs associated with Office365 if any mail which has hit the mailbox contained malware? And what actual impact that malware has had, e.g. forwarded sensitive information from the mailbox outside.

Is it common/plausible that malware via email could then leak other emails from the account out to another address etc.
Watch Question

Exec Consultant
Distinguished Expert 2019
From the log in general but suggest you take a look at threat explorer. It can serve multiple purposes, such as finding and deleting messages, identifying the IP address of a malicious email sender, or starting an incident for further investigation.

The ability to preview email headers and download the body of an email body are useful capabilities in Threat Explorer.

Email Timeline is a field in Threat Explorer that makes hunting easier for your security operations team. When multiple events happen at or close to the same time on an email, those events show up in a timeline view.


Users might notice and report unusual activity in their Office 365 mailboxes. Here are some common symptoms:

Suspicious activity, such as missing or deleted emails.

Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender.

The presence of inbox rules that weren't created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscriptions folders.

The user's display name might be changed in the Global Address List.

The user's mailbox is blocked from sending email.

The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as "I'm stuck in London, send money."

Unusual profile changes, such as the name, the telephone number, or the postal code were updated.

Unusual credential changes, such as multiple password changes are required.

Mail forwarding was recently added.

An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.
The Microsoft 365 Security & Compliance Center and the Azure Portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.
Office 365 Unified Audit Logs in the Security & Compliance Center: Review all the activities for the suspected account by filtering the results for the date range spanning from immediately before the suspicious activity occurred to the current date

Office 365 Admin Audit logs in the EAC: In Exchange Online, you can use the Exchange admin center (EAC) to search for and view entries in the administrator audit log

Azure AD Sign-in logs and other risk reports in the Azure AD portal: Examine the values in these columns:

Review IP address
locations
times
success or failure


>From the log in general

which log would this be?
btanExec Consultant
Distinguished Expert 2019

Unified Audit logs because you can search for the following types of user and admin activity in Office 365: