1. Why Microsoft 365 Matters in Investigations
Microsoft 365 often contains more useful evidence than a single computer. Email, files, Teams messages, OneDrive, SharePoint, sign-in records, and administrative activity may all help show what happened.
Common Investigation Types
Microsoft 365 evidence may matter in business email compromise, suspicious forwarding, payroll fraud, employee data theft, deleted email claims, SharePoint downloads, former employee access, and legal preservation requests.
More Than Email
A review may involve Exchange Online, Entra ID sign-in records, audit logs, OneDrive, SharePoint, Teams, mailbox rules, forwarding, mailbox permissions, mobile access, and application consent activity.
Time-Sensitive Evidence
Some records may not remain available forever. Availability can depend on licensing, configuration, retention settings, and timing.
2. Mailbox Preservation
What May Need to Be Preserved
Relevant material may include messages, attachments, deleted items, recoverable items, mailbox rules, forwarding settings, permissions, delegate access, suspicious folders, and related audit records.
Deleted Items May Still Matter
Deleted messages may still exist for a period of time depending on retention settings and mailbox configuration. That availability should not be assumed.
Rules and Forwarding
In compromised mailbox cases, rules and forwarding settings are especially important because attackers may hide replies, suppress alerts, redirect messages, or monitor vendor communications.
3. Sign-In Review
What Sign-In Records May Show
They may show unusual locations, failed attempts, successful access after repeated failures, unfamiliar devices, unexpected applications, multi-factor authentication activity, and conditional access results.
Context Matters
Location data is helpful but imperfect. VPNs, mobile carriers, proxies, travel, and cloud security products can affect how activity appears.
Exposure Window
One important question is how long the account may have been exposed. That can affect review of messages, attachments, file access, customer communications, and possible notification obligations.
4. Audit Logs
What Audit Logs May Show
Audit records may show mailbox actions, file access, downloads, sharing activity, permission changes, administrative changes, user account changes, application consent, and activity across collaboration tools.
They Have Limits
Audit logs are valuable, but they are not magic. Availability depends on licensing, retention, enabled services, the type of action, and the time period under review.
Preservation and Documentation
When audit logs matter, they should be preserved by an authorized administrator or provider. The review should document the date range, export format, time zone assumptions, and known limitations.
5. OneDrive, SharePoint, and Teams
OneDrive
OneDrive may show file access, downloads, sync behavior, deleted files, shared links, external sharing, personal device access, or file movement before or after an employee departure.
SharePoint
SharePoint often stores department, project, client, or company-wide data. Relevant evidence may include site access, external sharing, document downloads, deleted files, and permission changes.
Teams
Teams may involve messages, channels, meetings, shared files, links, SharePoint-backed libraries, and OneDrive-shared documents.
6. What Businesses Should Avoid
When Microsoft 365 evidence may matter, avoid deleting accounts, removing licenses, cleaning up mailboxes, deleting suspicious rules, relying only on screenshots, or delaying technical review until records are no longer available.
When to Contact Cal Valley Technology Group
Contact Cal Valley Technology Group if you suspect a mailbox was compromised, a user account was accessed without authorization, company files were downloaded or shared, a former employee accessed data, or Microsoft 365 logs need to be preserved for review.