Only start this once containment is complete (password reset, sessions revoked, MFA verified, inbox rules removed). Investigating while the attacker still has access may alert them.

Use these steps to find out how they got in, what they did, and whether any other accounts are affected.

Step 1 — Review the Entra ID sign-in logs

Entra ID → Users → select user → Sign-in logs — filter back at least 30 days

Look for:

  • Successful sign-ins from unfamiliar IP addresses or countries
  • Sign-ins via IMAP/POP/SMTP (Basic auth) — these bypass MFA entirely
  • Sign-ins flagged as Risky by Entra ID Identity Protection
  • Multiple failed sign-ins followed by a success (password spray)
  • Unexpected OAuth application shown as the app used

If you find a suspicious successful sign-in, check whether the user received a phishing email shortly beforehand — this link confirms the attack chain.

Step 2 — Search the Unified Audit Log

compliance.microsoft.com → Audit — search by the affected user, last 30 days. Filter for:

  • New-InboxRule / Set-InboxRule — especially rules with DeleteMessage: True (attacker hiding alerts)
  • Set-Mailbox — changes to forwarding, delegates, or settings
  • Add-MailboxPermission / Add-RecipientPermission — did they grant themselves or others access?
  • Consent to application — malicious OAuth app granted access
  • Send / SendAs / SendOnBehalf — shows outbound phishing activity
  • FileAccessed / FileDownloaded / FileModified — SharePoint or OneDrive access

If the Unified Audit Log isn't enabled, you have no history. Enable it immediately so data is captured going forward.

Step 3 — Run a Message Trace

  1. Exchange Admin Centre → Mail flow → Message trace
  2. Set sender to the compromised account, date range to at least the past 7 days
  3. Run and export the results — this gives you the full recipient list for notifications, the sending timeframe, and whether internal users were targeted

Check whether internal users received phishing emails — if so, treat those accounts as potentially compromised and investigate them separately.

Step 4 — Review mailbox rule history in PowerShell

Even if you've already removed rules, the audit log shows when they were created. Run:

Get-InboxRule -Mailbox <user@domain.com> | Format-List Name, Description, Enabled, ForwardTo, RedirectTo, DeleteMessage, MoveToFolder

 

And search the audit log:

Search-UnifiedAuditLog -StartDate <start-date> -EndDate <end-date> -UserIds <user@domain.com> -Operations New-InboxRule,Set-InboxRule,Enable-InboxRule

 

Look specifically for rules with DeleteMessage: True — attackers use these to silently delete bounce-backs and security alerts so the account owner notices nothing.

Step 5 — Verify registered authentication methods

  1. Entra ID → Users → select user → Authentication methods
  2. Have the user confirm every registered method — remove anything they don't recognise
  3. Search the audit log for User registered security info events during the compromise window

If the attacker registered their own authenticator app, enabling MFA alone won't stop them. This step is essential.

Step 6 — Check OAuth app consents

  1. Entra ID → Enterprise Applications → filter by the affected user → review all consented apps
  2. Flag any app with Mail.Send, Mail.ReadWrite, or MailboxSettings.ReadWrite
  3. Cross-check with the audit log: search for Consent to application events

A malicious OAuth app survives password resets and session revocations — it's one of the most important persistence mechanisms to rule out.

Step 7 — Check for lateral movement

  1. Audit log: did the account access resources beyond its own mailbox?
  2. Did the attacker send phishing to internal users? If yes, treat those accounts as potentially compromised too
  3. SharePoint/OneDrive logs: any unexpected file downloads or access?
  4. Teams: any messages sent from the account during the compromise window?

Step 8 — Identify how they got in

Use the data above to match the attack to one of these common vectors:

Attack vector

Indicators in the logs

Remediation

Phishing / credential theft

Successful sign-in from unfamiliar IP shortly after a phishing email was received

Enable MFA, deploy anti-phishing protection, user awareness training

Password spray / brute force

Multiple failed sign-ins from the same IP followed by a success

Enable MFA, enforce strong passwords, consider IP blocking

Legacy protocol abuse

Sign-in via IMAP/POP/SMTP AUTH — bypasses MFA entirely

Disable legacy authentication tenant-wide

Token theft (AiTM)

No suspicious sign-in, but token usage from unfamiliar IP

Enable token protection, Conditional Access with compliant device requirement

OAuth consent phishing

"Consent to application" event in audit log

Restrict user consent to verified publishers, revoke the app

Credential reuse

Successful sign-in from unusual location, no prior failed attempts

Enforce unique passwords, deploy credential monitoring


Investigation checklist

  1. Sign-in logs reviewed — suspicious IPs/locations identified
  2. Unified Audit Log searched — rule changes, app consents, file access
  3. Message Trace run — recipient list exported
  4. Inbox rule history reviewed (including delete rules)
  5. Authentication methods verified with the user
  6. OAuth app consents reviewed — malicious apps revoked
  7. Lateral movement checked
  8. Initial access vector determined
  9. Findings documented and remediation confirmed

Problems with Proofpoint? Fix Them Fast

We diagnose and resolve Proofpoint issues quickly — from email delivery problems to configuration errors — keeping your business secure and running smoothly.

Speak to an expert