We help IT Professionals succeed at work.

office365 email compromise

pma111 asked
If someone has compromised as in gained unauthorised access) to an Office365 email account, for the purposes of data access, is there anyway they could lead emails out to an external address without it leaving a trace in the tracking logs? With such an attack how is it likely the attacker would make use of the access they have achieved through whatever compromise, to read/use the data? It seems a bit simplistic to me to just start forwarding them outwards, but I am not sure how these attacks happen and what exactly it is they would do with their access once achieved (and how to determine what if anything they did do once access was achieved).
Watch Question

Jackie Man IT Manager
Distinguished Expert 2019

There is no need to forward the emails to get the data out of Office 365.

Just setup the Office 365 account as an Exchange account in MS Outlook and drag and drop (and press the Ctrl key at the same time) to copy the emails in a local .PST file in MS Outlook. If do not press the Ctrl key, the emails are moved to the local .PST file and will be gone forever.

There are no traces or logs.
Jackie Man IT Manager
Distinguished Expert 2019

So, prevention is better than tracing after being compromised.

Turn on two factor authentication to prevent the compromise of the Office 365 account.


its not quite that simple though if there is suggestion of compromise you had to legally determine to what extent in certain cases. from what I understand if there are certain protocols enabled for accessing a office365 mailbox then 2FA can sometimes be bypassed.
Distinguished Expert 2019
You're using MFA? Conditional access policies would be one thing to look at. You could exclude certain networks from MFA. Another is checking their MFA settings. I've seen cases where a malicious actor compromised an account before the user set up MFA, so they had their own settings in. A second to see is making sure that all ways in are sealed. I've seen cases where entering via the Office portal site wasn't locked down.
btanExec Consultant
Distinguished Expert 2019

If the compromised is privileged user like administrator, the traces maybe deleted or disabled to deter investigation efforts. That said MFA made is harder presumably the admin user are enabled with that.

Vigilance in user can still help assuming user notices and reports unusual activity in their Office 365 mailboxes. Here are some common symptoms:

  • Suspicious activity, such as missing or deleted emails.
  • Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender.
  • The presence of inbox rules that weren't created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscriptions folders.
  • Unusual credential changes, such as multiple password changes are required.
  • Mail forwarding was recently added.

Even without much log, there would still be possible past risk report generated to give hint to foul play.

Azure AD Sign-in logs and other risk reports in the Azure AD portal: Examine the values in these columns:

  • Review IP address
  • sign-in locations
  • sign-in times
  • sign-in success or failure

Better to have regular review of the posture and setting that harden the services.