Forum Discussion
Office365 account compromise
Hi
Im doing Incident Respond for office 365 account hijacking. May i know how do i check if the hacker have download all the webmail to local computer (pst etc).
Is there any specific string i can filter inside the audit log.
Thanks
Hi, I'd start here, which is a series of steps, if you haven't seen it already, with how to deal with compromised accounts:
The above article mentions checking the Audit Logs in the Security & Compliance Center and review all the activities for the suspected account
"by filtering the results for the date range spanning from immediately before the suspicious activity occurred to the current date"
The article also discusses checking the Azure AD Sign-in logs and other risk reports.
Thanks Cian. I had gone through the action. From the audit log, hacker got access for around 30 minutes before admin change the password. Now im looking into what is the action being perform beside sending phish link to all the contacts
