When something is wrong
Think your Microsoft 365 tenant has been compromised?
A Microsoft 365 forensic audit reconstructs what actually happened from the tenant's own evidence: how the attacker got in, what they read, what they changed and whether they are still there, documented to the standard your insurer, regulator and lawyers will ask for.
The usual first signs
How tenant compromises announce themselves
Most Microsoft 365 breaches are discovered by accident, and usually by someone outside IT. If any of these has happened this week, preserving evidence now matters more than anything else you do today.
One instruction before anything: do not delete the suspicious rules, mails or accounts yet. Eviction matters, but evidence deleted in the panic is evidence the investigation never gets back.
Common triggers
- A supplier or customer says they received a strange invoice or payment request from you
- A user reports MFA prompts they never asked for
- Mail is arriving in odd folders, disappearing, or replying without them
- A forwarding rule to an external address nobody recognises
- Sign-ins from countries where nobody works
- Your bank, insurer or a law-enforcement contact has flagged activity
The four questions
What the forensic audit establishes
How they got in
Sign-in history, token evidence and legacy protocol usage reconstructed to the initial access: phished credentials, sprayed password or consented rogue app.
What they touched
Mailbox access, searches run, files opened and shared, from the unified audit log and mailbox audit records, mapped to a timeline your board and insurer can read.
Whether they persist
Inbox rules, delegate grants, OAuth applications and MFA method changes hunted down, because eviction fails if any foothold survives.
What leaves with them
Forwarding, sync clients and download patterns examined for exfiltration, with plain caveats where logging limits what can be known.
The report closes with the remediation plan: the fixes that stop the same route being used twice, which in most BEC cases means the exact items from our hardening checklist the tenant was missing.
Quick answers
Forensic audit questions, answered
What is a Microsoft 365 forensic audit?
An evidence-led reconstruction of activity in a tenant after suspected compromise: how access was gained, what was accessed, what persistence was planted and what data may have left. It uses the tenant's own logs, handled so the findings can support insurance claims, regulatory notifications and, where needed, legal processes.
We think it's happening right now. Is this the right service?
If an attacker is active this minute, you need incident response first: containment, eviction and communication, led by CyPro's incident response team. The forensic audit is the reconstruction that follows containment, or the investigation when the signs are historical. Call either way and you will reach the right people; it is one firm.
How quickly can the audit start, and what do you need?
Quickly: the scoping call happens within one working day and evidence preservation guidance is given on that call, because audit log retention windows are unforgiving. We need read-only access and, ideally, nobody deleting anything in the meantime.
Will you tell us if the logs cannot answer the question?
Yes, explicitly. Tenants without unified audit logging or with short retention sometimes cannot support every conclusion, and a forensic report that overreaches is worse than useless. Where evidence is missing, the report says so and the remediation plan fixes the logging for next time.
Evidence has a shelf life
Speak to an investigator today
Book the next available call or send an enquiry marked urgent. Evidence preservation guidance is given on the first call, before any engagement is signed.