๐Ÿ“Š Dashboard ๐ŸŸข Pulse โœ‰ Inbox Shield ๐Ÿข Workspace Posture ๐Ÿ“‹ Compliance ๐Ÿ›ก๏ธ BrandGuard
May 20, 2026  ยท  8 min read  ยท  M365Incident ResponseWorkspace Security

How to Tell If Your Microsoft 365 Account Has Been Compromised

M365 breaches often go undetected for weeks. Attackers set up quiet email forwarding rules, register OAuth apps, and slowly exfiltrate data while everything looks normal. Here's where to look and what to check right now.

Why M365 compromises are easy to miss

Unlike a ransomware attack that announces itself, most M365 account compromises are designed to be invisible. The attacker's goal is usually Business Email Compromise (BEC) โ€” sitting in a mailbox and watching for invoices, payment requests, or sensitive conversations to exploit. They don't lock you out because that would end the access.

The most common attack paths are: password spray against accounts without MFA, phishing for session tokens (bypasses MFA entirely), and OAuth consent grant attacks where a malicious app gets read access to email and files.

7 signs your M365 tenant has been compromised

SIGN 1

Email forwarding rules you didn't create

This is the most common indicator. Attackers create inbox rules that silently forward copies of all incoming mail โ€” especially anything matching keywords like "invoice", "payment", "wire transfer" โ€” to an external address. Check: Exchange Admin Center โ†’ Mail flow โ†’ Rules and individually check each compromised user's Outlook rules.

SIGN 2

Sign-ins from unexpected locations or IPs

Go to Entra ID (Azure AD) โ†’ Sign-in logs. Filter by the user in question and look for sign-ins from countries you don't operate in, unusual ISPs, or sign-ins via legacy auth protocols (IMAP, POP3, SMTP AUTH). A single successful sign-in from an unusual country after a failed MFA prompt is a major red flag.

SIGN 3

OAuth apps with broad permissions

Consent grant attacks are underreported. An attacker sends a link that grants a malicious app read access to mail, contacts, and files โ€” and the user approves it thinking it's a legitimate tool. Check: Entra ID โ†’ Enterprise Applications โ†’ All applications. Look for apps with Mail.Read, Files.Read.All, or Contacts.Read permissions that were consented to recently.

SIGN 4

New or changed MFA methods

Once attackers have temporary access (e.g. via session token theft), they often add a new authentication method โ€” a different phone number or authenticator app โ€” to maintain persistent access even after a password reset. Check: Entra ID โ†’ Users โ†’ Authentication methods for any recently added phone numbers or authenticator registrations.

SIGN 5

Sent items you don't recognise

If the attacker is running a BEC campaign from the account, they'll be sending emails. They often delete these from Sent Items immediately, but check anyway. Also check Deleted Items and Recoverable Items โ€” messages deleted by inbox rules often land in Recoverable Items for 14 days before permanent deletion.

SIGN 6

Unusual admin role assignments

A compromised admin account may be used to elevate another account to Global Admin before it gets detected and locked. Check: Entra ID โ†’ Roles and administrators โ†’ Global Administrator and compare the list to what you expect. Also check M365 Admin Center โ†’ Audit log for recent role assignment events.

SIGN 7

Unified Audit Log events for mass download

Attackers often exfiltrate data before you notice. In M365 Compliance Center โ†’ Audit, search for FileDownloaded, FileCopied, and MailItemsAccessed events for the suspected account. Hundreds of file downloads in a short window is a clear indicator of data theft.

Immediate response checklist

  1. Revoke all active sessions โ€” Entra ID โ†’ Users โ†’ [User] โ†’ Revoke sessions. This invalidates all current tokens.
  2. Reset the password โ€” Force a new strong password immediately.
  3. Review and remove MFA methods โ€” Delete any authentication methods you don't recognise.
  4. Delete suspicious inbox rules โ€” Remove all forwarding rules you didn't create.
  5. Revoke OAuth app consents โ€” Remove any apps with suspicious permissions.
  6. Check for new admin accounts โ€” Lock or delete any accounts you don't recognise with elevated roles.
  7. Preserve audit logs โ€” Export relevant sign-in and audit logs before they age out (default retention is 90 days on most plans).
  8. Enable legacy auth block โ€” If not already done, create a Conditional Access policy blocking all legacy authentication protocols.
Important: Don't just reset the password and call it done. If the attacker added a new MFA method, they regain access as soon as you reset the password. Always revoke sessions, reset password, AND audit authentication methods in that order.

How to prevent this from happening again

The misconfiguration that enabled most of the above โ€” MFA not enforced, legacy auth enabled, no Conditional Access policies โ€” are exactly what Workspace Posture Pro audits automatically every week. You get a prioritised list of what needs fixing before the next incident, not after.

๐Ÿ“ฌ Weekly M365 security digest

Get practical M365 security tips, threat intel, and product updates. No spam โ€” unsubscribe anytime.

โœ… You're in. Check your inbox.

Catch these misconfigurations before attackers do

Workspace Posture Pro runs automated weekly audits of your M365 tenant โ€” MFA gaps, legacy auth, stale admins, OAuth apps, forwarding rules โ€” and emails you a prioritised fix list every Monday.

Start Workspace Posture Pro โ€” $19/mo โ†’

Early access ยท rate locked forever ยท cancel anytime