How to Catch a Breach in Office 365
Typically, when an account is breached, the hacker will do things that drastically affect the user's mail flow. You might notice things such as mail not being received, unable to send mail altogether, mail being sent from the account that the account owner did not send, among other things. Essentially, there are two dead giveaway's that the account has been compromised: unwarranted mail-flow rules and unauthorized login attempts.
Mailbox rules allow the user to move, flag and/or respond to messages automatically, so it's obvious why hackers would use these to gain information. Mailbox rules are usually pretty easy to detect as you can simply check applied rules within Outlook or the Admin tenant within Office 365, but the more experienced hackers have ways of being a bit more discreet as well. These types of mailbox rules can be customized so that only certain types of mail are moved, which can make it hard to detect as you are still receiving most mail to your inbox. Examples of this could be rules like "if mail is received from Accounting, send to RSS folder," or "automatically forward all mail without notification."
Another item that you may want to check when catching a breach are the Sign-in Logs for the account. This will show who has signed in to the account and from where. This takes a little more maintenance as you would want to check these daily to have consistent monitoring as the account owner would not know this was happening otherwise. In conjunction with checking sign-in logs, if MFA is enabled on the account and you are receiving multiple requests to your device with MFA codes that you weren't initiating, that could be a tell-tale sign to check the Sign-in Logs.
Ideally, the items would need to be monitored VERY regularly to have proper security on the accounts and e-mail tenant itself, which can sound a bit daunting, but there are tools that we can offer that do it automatically with no manual monitoring needed. It's always good to have peace-of-mind when it comes to e-mail security and the sensitive information being passed through your business e-mail, so reach out to us if you might want to learn more about our tool called Cloud Protect that can do this for you. Further, if you simply have questions or need consultation on what might be a good fit for your needs, we are here for you!