Compromised M365 account – what now?

The use of cloud technologies and products – whether as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) – has become widespread in the corporate world over the last few years¹. The market is dominated by the major providers Microsoft, Amazon and Google². While Amazon is the leader in the IaaS and PaaS sectors in particular, Microsoft has established itself with their M365-solution in the SaaS segment³. Products such as Word, Excel and Outlook have long been an integral part of everyday working life and are now essential in modern offices. The fact that Microsoft is increasingly moving its products from on-premise (on its own hardware) to the M365-cloud is also prompting companies to migrate to the Microsoft Cloud more frequently. This is no trivial task. Although cloud solutions shift various security aspects to the responsibility of the cloud provider (e.g. patching the operating system for PaaS/SaaS), they also bring new and challenging tasks for cloud customers. The attack methods and lateral movement opportunities that cloud usage opens up are as diverse as Microsoft's product jungle.

Shared Responsibility Model

Phishing remains one of the most popular and effective entry points for attackers. A single carelessly opened email or misjudged link is enough to enable the first step into a corporate network. Even modern protection mechanisms such as multi-factor authentication do not provide absolute security. With sufficient know-how, these obstacles can be circumvented. In an earlier article, we already showed how attackers operate in such a scenario.

Once they have gained access, the next phase begins: the systematic exploitation of the access they have obtained. This can include the inconspicuous reading of sensitive data, the targeted expansion of authorisations or the launch of new phishing campaigns via already compromised accounts – depending on the attackers' objectives⁴. At the latest when such behaviour becomes apparent, companies are confronted with pressing questions:

• What exactly has happened? 
• Which systems or data sets are affected? 
• How can the extent of the incident be reliably limited?

But what can be done to answer these questions and deal with the incident in the M365-cloud?  

Several aspects play a role here that need to be considered for incident handling and forensic investigation. To handle the incident effectively, it is first crucial to know the specific parameters. In addition to recording the exact symptoms and general conditions in the context of emergency management (such as compliance with reporting requirements), the technical conditions must be determined, especially in the public cloud environment. These include, among other things:

• Which cloud products has my company purchased licences for and which licences do I currently have actively assigned?
• Which products are currently in active use?
• Do I have a connection from my on-premise systems to my cloud environment, i.e. hybrid configurations?
• Have I linked different cloud environments – multi-cloud?
• How is my cloud currently configured? Do I still have default settings, or have I already implemented security measures (hardening)? Do I use special security products and features?
• What rights does the presumably compromised account have?

This is not a complete list – depending on the answers, further, more specific questions often arise. Nevertheless, the answers can be used to derive initial assessments of possible attacks and an approximate scale of the spread. At the same time, the answers can be used to coordinate further steps for incident handling, such as immediate measures and the identification of relevant data for a forensic investigation.

Purview logs and logs from Entra ID, such as sign-in and audit logs, are particularly important for forensic investigations of compromised M365 accounts. However, the availability and level of detail of these and other log and information sources depends in part on the respective licensing. Purview audit logs provide valuable information about the activities and data accesses of the attackers. When evaluated correctly, they make it possible to understand the attackers' actions and find answers to the initial questions. Microsoft documents the operations recorded in the Purview logs and provides a brief description of their significance on its website. In addition, the recorded events from the Entra ID logs can be used and correlated with the Purview data. These logs are also relevant if Azure services (Microsofts PaaS-solution) are used instead of M365, for example. In the context of phishing incidents, the message trace logs from Exchange Online can also provide helpful information.  

However, knowing exactly what is needed in an emergency – and what needs to be considered, especially in a cloud environment – can be a real challenge. In addition to the general aspects that need to be considered in the context of emergency management, the cloud environment often adds additional technical complexity due to numerous dependencies and the variety of cloud products. In such a situation, it can therefore be useful to seek expert support. Our experts are available around the clock via our emergency hotline to assist you – both in dealing with security incidents in the cloud environment and with other security events.

To circumvent such security incidents, it is imperative to prioritise prevention and security in the early stages. Our Technical Consulting Team is able to assist in the protection of cloud systems and infrastructures in a targeted manner. They can also ensure that potential risks and security-related aspects are identified and addressed in a timely manner. 

¹ Source: Statista, “Cloud computing – use in companies by 2024”, URL: https://de.statista.com/statistik/daten/studie/177484/umfrage/einsatz-von-cloud-computing-in-deutschen-unternehmen-2011/ 

² Source: Statista, “Cloud computing – market shares of companies in 2025”, URL: https://de.statista.com/statistik/daten/studie/150979/umfrage/marktanteile-der-fuehrenden-unternehmen-im-bereich-cloud-computing/ 

³ Source: Statista, “Software as a Service - Worldwide”, URL: https://de.statista.com/outlook/tmo/public-cloud/software-as-a-service/weltweit 

⁴ Source: Microsoft, „Detecting and mitigating a multi-stage AiTM phishing and BEC campaign“, URL: https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/