If it is not insider doing, the audit trails would have surfaced and the details can be articulated in the recordtype and more, just make sure it is not been overridden and still there..
https://docs.microsoft.com/en-gb/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log
But many a time, either auditing is not enabled or modified due to upgrade or misconfigured etc, the short it is not foolproof.
As you mention, the technicalities is of interest and you can find it in the below.
The release of a security research tool called Ruler enables an attacker to install a persistence mechanism once an account has been breached to maintain access even through a password roll.
Another is via such interface. Key is even user mode is good enough to do very stealthy stuff.
The Microsoft Messaging Application Programming Interface (MAPI), is “… a set of functions that mail-enabled and mail-aware applications use to create, manipulate, transfer, and store mail messages….”. Furthermore, according to Microsoft “… MAPI also provides a common interface that application developers can use to create mail-enabled and mail-aware applications independent of the underlying messaging system.”
would exchange/office365 capture yanking of the address book though? Or could they be done discretely with access.