Attackers who compromise Microsoft 365 accounts often stay quiet for weeks — reading email, setting up forwarding rules, and waiting for the right moment. Here's how to check whether your account has been accessed without your knowledge.
Why account compromises often go undetected
When an attacker gains access to a Microsoft 365 account, their first priority is not to do anything visible. They read your email. They identify financial workflows, vendor relationships, and upcoming transactions. They set up inbox rules to hide their tracks — forwarding copies of email to an external account, moving security alerts to deleted items, and suppressing replies so you don't notice unusual activity.
This reconnaissance phase can last weeks or months before the attacker acts. The first indication you might have is a fraudulent wire transfer request that appears to come from a trusted contact — using real context from emails they've been reading.
Most small businesses don't have active monitoring for their Microsoft 365 tenant. There's no alert when someone logs in from an unusual location, no notification when a new inbox rule is created, no review of admin activity logs. The compromise is discovered after the damage is done.
The sign-in log: where to start
Microsoft 365 maintains a sign-in log that records every authentication event for your tenant — including the IP address, location, device, and application used. This is your primary tool for detecting unauthorized access.
To access it: go to the Microsoft 365 admin center, then the Entra ID (Azure AD) admin center, and look under Monitoring > Sign-in logs. Filter by user and look for sign-ins from unusual countries, unfamiliar IP addresses, or unexpected applications.
What to look for: sign-ins from locations you haven't been; sign-ins at unusual times (3am on a Sunday); multiple failed authentications followed by a success (credential stuffing); sign-ins from legacy protocols like IMAP or POP3; and sign-ins using application permissions rather than interactive user login.
Microsoft Secure Score and Identity Protection (available in Business Premium and higher tiers) can surface these anomalies automatically and assign risk scores to suspicious sign-ins.
Mailbox rules: the attacker's persistence mechanism
Inbox rules are one of the most reliable indicators of a compromised account. Attackers routinely create rules that: forward all incoming email to an external address, delete emails containing words like "password reset" or "security alert," move replies to specific contacts to deleted items, or mark all email as read to prevent you from noticing new messages.
To review mailbox rules: in Outlook Web App, go to Settings > Mail > Rules. Review every rule — if you see any you don't recognize, treat it as a red flag.
In the Microsoft 365 admin center, an administrator can review all users' inbox rules from the Exchange admin center under Recipients. This is worth doing for any account where compromise is suspected.
If you find an unfamiliar forwarding rule, the account has almost certainly been compromised. The rule needs to be removed, the account password reset, all active sessions terminated, and MFA reviewed and updated.
Other indicators to check
Sent items review. Check the Sent Items folder for emails you didn't send. Attackers often use compromised accounts to send phishing emails or conduct BEC fraud from the legitimate account.
Delegated access and app permissions. Check whether any external applications have been granted access to your account. In Microsoft 365: go to My Account > Privacy > App access. Remove any applications you don't recognize or actively use.
Admin audit log. If the compromised account has admin privileges, check the admin audit log for unusual activity — new users created, licenses assigned, settings changed, other accounts modified.
Mail forwarding settings at the account level. Separate from inbox rules, Microsoft 365 allows forwarding to be configured at the mailbox level. Check this in the Exchange admin center under Recipients > Mailboxes > the user's account > Manage email forwarding.
What to do if you find evidence of compromise
If you find clear indicators of compromise — unfamiliar sign-ins, unexpected inbox rules, emails you didn't send — the response steps are: disable the account immediately to stop ongoing access; terminate all active sessions; reset the password; review and remove any unauthorized inbox rules, forwarding, or delegated permissions; check for any emails sent or actions taken during the compromise window; notify affected contacts if fraudulent communications were sent.
If the compromise resulted in financial fraud, contact your bank immediately and report to the FBI's IC3 and local law enforcement.
Going forward: enable MFA if it isn't already enabled, review Conditional Access policies, and consider enabling Microsoft Identity Protection alerts so unusual sign-ins trigger automatic alerts rather than waiting for a manual review.
Intragreat can conduct a compromise assessment for any Microsoft 365 tenant — reviewing sign-in logs, mailbox rules, delegated permissions, and admin activity to identify indicators of past or ongoing unauthorized access.