How to Detect Compromised Microsoft 365 Accounts

Threat Detection
March 23, 20266 min read

How to Detect Compromised Microsoft 365 Accounts

Account compromises are increasing in frequency and sophistication. Attackers understand that stolen Microsoft 365 credentials provide access to email, Teams, SharePoint, OneDrive, and the entire Microsoft ecosystem. For MSPs and MSSPs, detecting compromised accounts quickly is critical—a single compromised admin account can lead to lateral movement across an entire tenant.

This guide provides practical techniques to detect account compromise and investigate suspicious activity in Microsoft 365.

Understanding Account Compromise Indicators

Before diving into detection methods, understand common compromise indicators:

  • Unusual sign-in locations: Accounts accessed from countries they’ve never connected from before
  • Impossible travel: Account access from two locations too far apart geographically to be possible
  • Unusual sign-in times: Access during off-hours from users who normally work business hours
  • Bulk email activity: Sudden spike in email sends, often phishing or malware distribution
  • File access anomalies: Unusual file downloads or access to sensitive SharePoint sites
  • Mail forwarding rules: Rules created to forward all email to external addresses
  • Administrative changes: Role assignments or security policy modifications by compromised accounts
  • Device changes: Sudden changes in device type, location, or OS

Detection Method 1: Azure AD Sign-In Logs Analysis

Where to Look:

  1. Navigate to Azure AD > Sign-in logs
  2. You’ll see all sign-in activity across your tenant

Key Filters to Apply:

Filter by Risk Level:

  • Click Sign-in risk level column header to sort by risk
  • High-risk sign-ins are flagged by Azure AD’s risk engine
  • Review all medium and high-risk attempts immediately

Filter by Location Anomalies:

  1. Set Date range to last 30 days
  2. Export to Excel (Show: 250 results)
  3. Identify unique countries in Location column
  4. Compare against known user locations

Look for:

  • First-time countries (especially high-risk nations)
  • Geographically impossible logins
  • VPN/Proxy countries your organization doesn’t operate in

Filter by Device Information:

  1. Click Device info column
  2. Look for unmanaged devices or unusual device types
  3. Compromised account attackers often access from personal devices

Detection Method 2: Azure AD Anomalous Activity Alerts

Azure AD Premium P2 includes automated anomaly detection:

  1. Navigate to Azure AD > Identity Protection > Overview
  2. Review Risky users and Risky sign-ins dashboards
  3. View detected anomalies including:
    • Atypical travel alerts
    • Sign-ins from anonymous IP addresses
    • Sign-ins from malware-infected devices
    • Unfamiliar sign-in properties

Investigate Risky User:

  1. Click user to view details
  2. Review timeline of detections
  3. Check all sign-ins from suspicious locations
  4. Look for lateral movement attempts

The risk engine is sophisticated—investigate every P2 detection, as they often precede account takeover.

Detection Method 3: Exchange Online Audit Logs

Email-based compromise indicators are often the most revealing:

Enable Mailbox Auditing:

  1. Exchange Admin Center > Compliance > Audit
  2. Ensure Mailbox auditing is on by default is enabled
  3. Verify all users have mailbox auditing enabled

Review Suspicious Email Activity:

  1. Exchange Admin Center > Compliance > Audit > Mailbox audit log search
  2. Search for specific user
  3. Filter operations: MailboxLogin, SendAs, SendOnBehalf, Create
  4. Look for:
    • Logins from unusual locations/times
    • SendAs activity (email sent as the user but from attacker)
    • Unusual folder access patterns

Check Mail Forwarding Rules:

  1. Exchange Admin Center > Mail flow > Rules
  2. Review all forwarding rules
  3. Look for rules forwarding mail to external addresses
  4. Check rule creation timestamp and creator
  5. Disable suspicious rules immediately

Compromised accounts frequently have forwarding rules sending copies of all email to attacker-controlled addresses—this is a critical detection indicator.

Investigate Inbox Rules (Client-Side):
For thorough investigation, check client-side Inbox Rules:

  1. Use PowerShell to query all user mailboxes
  2. Command: Get-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object {$_.ForwardTo -ne $null -or $_.RedirectTo -ne $null}
  3. Review results for unexpected forwarding

Detection Method 4: Microsoft Defender for Identity

If clients have E5 licenses, Defender for Identity provides behavioral analysis:

  1. Access Defender for Identity portal in Microsoft 365 Defender
  2. Navigate to Identity > Entity insights
  3. Look for alerts:
    • Suspicious modification of group membership
    • Suspicious creation of service principal
    • Impossible travel alerts
    • Atypical bulk operations
    • Account enumeration attempts

Defender for Identity uses machine learning to detect behavioral anomalies even before explicit signs of compromise.

Detection Method 5: File Access and Sharing Anomalies

Compromised accounts often exfiltrate data:

SharePoint Activity Monitoring:

  1. SharePoint Admin Center > Active sites
  2. Click site, view Activity tab
  3. Look for:
    • Unusual bulk downloads
    • Access from new devices/locations
    • Sharing of sensitive documents to external addresses

File-Level Auditing:

  1. Compliance Center > Audit > Start recording user and admin activity
  2. Search specific user’s file activities
  3. Filter operations: FileAccessed, FileDownloaded, FolderCreated
  4. Identify suspicious patterns

OneDrive Sharing Anomalies:

  1. Review OneDrive Sharing Links in admin center
  2. Look for shares to external email addresses
  3. Check share creation timestamp
  4. Verify against user’s normal behavior

Detection Method 6: Unusual Administrative Activity

Compromised admin accounts can modify security policies:

Check Recent Admin Changes:

  1. Azure AD > Audit logs
  2. Filter Activity: Add user to role or Modify directory role
  3. Verify all recent admin assignments
  4. Check if users have explained unfamiliar role assignments

Monitor Security Policy Changes:

  1. Review Conditional Access policy modifications
  2. Check for disabled MFA requirements
  3. Verify no one has disabled advanced threat protection
  4. Audit changes to authentication methods

Attackers often disable security controls to maintain persistent access.

Automated Detection with Sentinel

For enterprise clients, implement Azure Sentinel for sophisticated detection:

  1. Deploy Microsoft Sentinel workspace
  2. Connect Azure AD sign-in logs and Audit logs
  3. Create alert rules for:
    • Multiple failed logins followed by success
    • Sign-in from impossible travel location
    • High-risk user performing administrative actions
    • Bulk mail forwarding rule creation

Sentinel provides machine learning-based detection that identifies novel attack patterns.

Incident Response Steps

If you detect a compromised account:

Immediate Actions (Within 1 Hour):

  1. Reset user password immediately
  2. Revoke all active sessions (Azure AD > Sessions)
  3. Disable MFA methods and force re-enrollment
  4. Remove from privileged groups
  5. Alert the user and their manager

Investigation (Next 4 Hours):

  1. Analyze full sign-in timeline (past 30 days)
  2. Identify all locations and devices used
  3. Check for forwarding rules and sharing anomalies
  4. Review mailbox delegation changes

Remediation (Next 24 Hours):

  1. Delete all suspicious forwarding/inbox rules
  2. Revoke problematic sharing links
  3. Force MFA re-enrollment
  4. Scan user’s devices for malware
  5. Review data exfiltration scope

Reporting (Ongoing):

  1. Document timeline of compromise
  2. Estimate scope of data access/exfiltration
  3. Report to compliance and legal teams
  4. Implement changes to prevent recurrence

Best Practices for MSPs

  • Proactive Monitoring: Review sign-in logs weekly, not just when breaches occur
  • Risk-Based Approach: Prioritize investigation of high-risk indicators first
  • Automated Alerting: Set up alerts for specific indicators rather than manual review
  • User Communication: Train users to recognize compromise (unusual sent items, password change notifications)
  • Documentation: Maintain detailed logs of all investigations for compliance

Conclusion

Detecting compromised Microsoft 365 accounts requires systematic analysis of multiple data sources. By implementing these detection methods, you:

  • Identify account compromises within hours, not days
  • Prevent lateral movement and data exfiltration
  • Minimize incident impact
  • Maintain compliance with regulatory requirements

Your ability to rapidly detect and respond to compromises directly protects your clients’ entire Microsoft 365 environments.

Ready to assess your Microsoft 365 security posture? Run a free security assessment at 365 Security Assessment.

compromised accountssign-in logssuspicious activitythreat detection
Back to Blog