M365 Incident Response Runbook: Unified Audit Log, OAuth Grants, and Mailbox Forensics

Cybersecurity

A practitioner Microsoft 365 IR playbook covering UAL queries, MailItemsAccessed, MessageTrace, inbox rule analysis, OAuth app consent enumeration, and session revocation in the correct order.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 6, 2024 · 8 min read

M365 incidents are usually account takeover or OAuth consent attacks. The same logs answer both. The Unified Audit Log (UAL) is your primary source. MailItemsAccessed gives you per-message read evidence if the account has E5 or Microsoft 365 Audit (Premium). MessageTrace tells you what moved.

1. Search-UnifiedAuditLog basics

The PowerShell module Exchange Online does the heavy lifting. Connect-ExchangeOnline, then pull a 14-day window for the suspect account. Filter aggressively or the result set is unusable.

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-14) -EndDate (Get-Date) -UserIds alex@contoso.com -ResultSize 5000 | Export-Csv ir2024-alex-ual.csv -NoTypeInformation

Open the CSV and pivot on Operation. The operations that scream incident: New-InboxRule, UpdateInboxRules, Set-Mailbox, Add-MailboxPermission, MailItemsAccessed with non-owner LogonType, Consent to application, Add app role assignment grant to user.

2. Inbox rule forensics

Attackers create rules that delete or forward security alerts and password reset emails. The rule definitions sit inside the audit log entry as JSON. The patterns to flag: rules that move messages containing words like 'invoice', 'wire', 'password', or your domain to RSS Feeds or Deleted Items, and rules with ForwardTo or ForwardAsAttachmentTo to external addresses.

Get-InboxRule -Mailbox alex@contoso.com | Format-List Name, Enabled, From, SubjectContainsWords, MoveToFolder, ForwardTo, DeleteMessage, RedirectTo

Remove the malicious rules but export them first. The rule itself is evidence of attacker intent.

3. MailItemsAccessed and what was read

If your tenant has the right licensing, MailItemsAccessed logs every read against the mailbox. During an incident, this is gold. Filter to entries where LogonType is not Owner. Each entry contains an InternetMessageId you can correlate against MessageTrace to know exactly which emails were exposed.

If MailItemsAccessed is missing, the worst-case assumption is the entire mailbox was read during the compromised session window. Tell your DPO that assumption upfront.

4. OAuth consent grant enumeration

OAuth phishing is the underestimated attack. The attacker tricks the user into consenting to a malicious app with Mail.Read or full delegated scopes. The token survives password resets and MFA changes. UAL captures 'Consent to application'. The Entra portal also lists user-consented apps, but it is paginated badly during incidents.

Get-MgUserOauth2PermissionGrant -UserId alex@contoso.com | Where-Object { $_.ConsentType -eq 'Principal' } | Select-Object ClientId, Scope, ConsentType, PrincipalId

For each ClientId, look up the app in your tenant. Anything you do not recognize gets revoked with Remove-MgOauth2PermissionGrant. Then run Get-MgServicePrincipal to check if the attacker added the app as a service principal with broader rights.

5. Session revocation, in the right order

Resetting the password without revoking sessions leaves the attacker logged in with the old token. The order matters.

1. Revoke sessions: Revoke-MgUserSignInSession -UserId alex@contoso.com
2. Reset the password through Entra ID admin, forcing change at next sign-in.
3. Re-register MFA: remove all authentication methods and require fresh enrollment from a known device.
4. Audit and remove any inbox rules, mailbox forwards, and OAuth grants found earlier.
5. Re-enable the account only after the above is verified clean.

6. MessageTrace and exfiltration scope

Get-MessageTrace covers ten days. For older windows, use Start-HistoricalSearch which goes to ninety. Filter to messages sent from the account during the compromised window. Look for unusual recipients, attachments larger than usual, and any external auto-forward results.

M365 IR rewards preparation. Pre-build a Get-AlexMailboxForensics function for your tenant. Test it on yourself quarterly. When the real incident lands, you are reading output, not writing PowerShell.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.