We help IT Professionals succeed at work.

imap connection office365

if you suspect someones office365 email account may have been compromised via imap protocol (now disabled on the account and pwd updated), where specifically could you look to see if any specific data from their account has been breached/leaked/viewed? would there be any traces within the mailbox itself, or other administrative features/logs of office365?
Comment
Watch Question

Most Valuable Expert 2015
Distinguished Expert 2019
Commented:
Your best bet is the Unified audit log (https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance) or the mailbox audit logs within Exchange Admin Center/PowerShell. None of these will tell you winch exact items were accessed though.

As for any messages that have been sent/forwarded, check the message trace logs: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/message-trace-scc

Author

Commented:
>None of these will tell you winch exact items were accessed though.

What would they tell you then in regards to the question?
David FavorFractional CTO
Distinguished Expert 2019
Commented:
1) If you're really using IMAP (clear text protocol), once a connection is hacked, changing password will have no effect.

Fix: Change to using IMAPS (secured using a TLS cert).

2) If you're already using a TLS cert...

Fix: For best security ensure the protocols SSL2, SSL3, TLSv1.0, TLSv1.1 are all disabled, so only TLSv1.2 + TLSv1.3 are used.

3) If you've already only running TLSv1.2 + TLSv1.3, then likely the account in question is using a user account name + password which is shared on other sites which have been hacked... or worse...

The user is using some sort of password manager (the worst security idea ever) which has been hacked. You can test this easily by setting a long password (random 16-32 byte set of unique characters), then update your password manager. If you're hacked again, you know your password management system is leaking or selling login data.
Most Valuable Expert 2015
Distinguished Expert 2019

Commented:
They will tell you when/where from the account was accessed, whether any additional workloads were accessed and so on. There are tons of audited activities, but "reading" messages in your own mailbox is simply not one of them.
Distinguished Expert 2019

Commented:
If the account was compromised by IMAP, it is accessible by all other means. If data was forwarded, it shoukd be part of the sent..