Why endpoint tools do not flag this

Microsoft 365 account takeover begins with authentication, not with execution. An attacker who has obtained valid credentials submits them to Entra ID through a browser, mobile client or API. The authentication succeeds. A session is established. The attacker now has the same access the legitimate user has, through the same interfaces the legitimate user uses.

There is no process executing on any managed device. No file is written to disk. No unusual network connection originates from a monitored endpoint. The endpoint agent has nothing to observe. The activity that follows, accessing mailboxes, downloading files, creating forwarding rules, happens entirely inside Microsoft's platform layer.

The signals that indicate compromise exist, but they are in identity and application telemetry. Detecting them requires monitoring those sources, not the process layer.

The six signals that indicate active account compromise

1. Impossible travel

Entra ID sign-in logs record the geographic location of each authentication. When two sign-in events occur from locations that are physically inconsistent with normal travel time, for example London at 9am and New York at 9:15am, this indicates either a VPN, a proxy, or a second party using the account. The signal requires a baseline of where the user normally authenticates from. The impossible travel pattern is one of the highest-confidence indicators of account compromise available in Entra ID telemetry.

2. New MFA device registration

When an attacker gains access to an account, registering a new MFA device is a standard persistence step. It means the attacker can re-authenticate even after the legitimate user's password is changed, unless the MFA device is also reviewed and removed. New device registrations appear in Entra ID audit logs. An alert on any new MFA device registration for accounts with access to sensitive data provides early detection of this persistence mechanism.

3. Inbox forwarding rules

A forwarding rule that sends copies of all incoming email to an external address is one of the quietest and most persistent techniques in a compromised Microsoft 365 account. It is an Exchange Online audit event. The rule runs in the background, the account holder typically sees no indication of it, and it survives password changes until explicitly removed. Monitoring Exchange Online for new forwarding rules pointing to external addresses, particularly those created outside business hours, is a reliable indicator of active compromise.

4. Security alert deletion rules

Alongside the forwarding rule, attackers commonly create a second rule that deletes any incoming email matching keywords like 'Microsoft security alert', 'unusual sign-in activity' or 'new device registered'. This prevents the legitimate user from seeing the notifications Microsoft sends about the compromise. These rules appear in Exchange Online audit logs and are detectable through the same monitoring that catches forwarding rules.

5. Bulk SharePoint or OneDrive download

After establishing persistence through MFA device registration and inbox rule creation, the attacker typically moves to data collection. Bulk file access from SharePoint document libraries or OneDrive folders within a single session produces a volume and pattern of access events that deviates significantly from normal user behavior. SharePoint audit logs record individual file access events. A spike in access events from a single account within a short time window is a reliable signal of data staging activity.

6. OAuth application consent

Attackers use OAuth phishing to obtain persistent delegated access to Microsoft 365 accounts. A user clicks a link, is directed to a legitimate Microsoft OAuth consent page and grants permissions to a malicious application. The application then has API access to the user's mailbox, files and calendar without requiring the user's password. Azure AD application consent events appear in Entra ID audit logs. Monitoring for new application consents, particularly those granting mail read or files read permissions, detects this technique.

How to build detection coverage for these signals

Identity threat detection and response requires three data sources operating continuously across all managed tenants: Entra ID sign-in logs for authentication anomaly detection, Entra ID audit logs for MFA device and application consent events, and Exchange Online unified audit logs for mailbox rule and file access events.

The detection logic has to operate against a baseline. An impossible travel alert fires correctly when the system knows where the user normally authenticates from. A bulk download alert fires correctly when the system knows what volume of file access is normal for that user. Without baseline context, alert volumes become unmanageable and analysts begin suppressing genuine signals. The XDR approach to correlating these signals applies baseline deviation logic across all six indicator types simultaneously, reducing false positive rates significantly.

For MSPs managing multiple tenants, each client's baseline is different. The detection platform needs per-tenant context to operate at useful precision. A rule calibrated against one client's normal SharePoint access volume will not work correctly for another. Building and maintaining per-tenant baselines is the operational overhead that determines detection quality in this area.

The investigation workflow when these signals fire

When any of the six signals fire, the investigation sequence is consistent. First, confirm whether the sign-in or event matches the user's normal pattern for location, device and time. Second, review whether any of the other five signals appear in the same account within the same time window. Attackers typically execute multiple techniques in rapid sequence after initial access. Finding one signal and finding multiple signals in the same window are different severity levels.

If the pattern indicates active compromise, the response sequence is: revoke all active sessions, reset credentials, review and remove any new MFA device registrations, review and remove any inbox rules forwarding to external addresses, review and revoke any new OAuth application consents, and audit SharePoint access events to determine the scope of any file access. The compromised credentials sequence documents this in more detail.

The best SOC for MSPs covering identity at this level operates the detection logic continuously across all tenants and has the per-tenant baseline context to distinguish genuine anomalies from expected behavior. An MSP without a SOC running this monitoring has no visibility into any of the six signals described above, regardless of how well the endpoint MDR is performing.