Hacked by a mobile device and need to retrieve historical data to show timeline and device data

Occasional Visitor

My Office 365 Business/Exchange account was hacked and the hacker added a IPhone to the service to monitor my emails.  I discovered the device while performing a system audit to learn how to manage the overly complex system/software for which I signed up and am woefully incapable of managing :-(.  Anyway, via dumb luck, I discovered this device, In the Admin Center>Security & Compliance>Data Loss Prevention> Device Mgmt area it showed me the device, it is an IPhone and I am a Samsung User so it was obvious, when it logged in and was granted access (2 times) and the associated IMEI!  I had an option to Wipe Device and being panicked, I wiped it successfully.  However, I never copied the IMEI info because I thought the information would stay in that field for historical purposes.  


One of 2 things occured, the user who I wiped had access to the system live and realized I was on to them and went in and deleted these records, or Microsoft does not store them.  Either Way, I have been talking to Microsoft and the techs are not able to help, so far.  But, they are trying.  I think it is a hyper complex system with a large amount of data collection systems/capabilities and thus I need someone with this specific knowledge to help me understand where exactly I can go to find this historical evidence so I can prove who hacked my email. 


I know who it was and even have some evidence, i.e. Device ID, but I would love to recover the historical records and the EMEI information too.  It also appears that my Audit Logs were disabled or not turned on and I only turned them on the day after I wiped the device, 9/15. 


I have log files from the wipe verification and a final log report I luckily pulled are attached which contain the device ID but no IMEI and the Device ID is on 32 characters and I believe they are supposed to be 40.  I was also able to pull a Apple Cert Request.CSR file but I can not figure out how to read it nor could the MS tech.  Unfortunately, they are not supported file types in the community.  Let me know if I can email them.  They are .txt and .csr and 2 emails verifying actions taken.


So, does anyone know how/if I have a hope of recovering this information within Office 365's data tracking capabilities, pretty please?


Thanks for reading my traumatic story!





0 Replies