How to Investigate a Suspicious Mailbox in Exchange Online (Complete Incident Response Guide)

A compromised mailbox is one of the most common security incidents Microsoft 365 administrators face. Whether the attacker obtained a user’s password through phishing, stole an authentication token, or exploited a malicious OAuth application, the mailbox often becomes the first target. Once inside, attackers rarely stop at reading emails—they frequently create forwarding rules, delete evidence, monitor conversations, and use the mailbox to launch Business Email Compromise (BEC) attacks against customers and colleagues.

The challenge is that these attacks are not always obvious. In many cases, users only notice something is wrong days or even weeks later. A missing email, an unexpected reply from a customer, or a security alert from Microsoft Defender may be the first indication that someone else has been accessing the mailbox.

Knowing how to investigate suspicious mailbox activity quickly and methodically is essential for minimizing damage. Rather than checking random settings, administrators should follow a structured investigation process that combines information from Microsoft Entra ID, Exchange Online, Microsoft Purview, and Microsoft Defender for Office 365.

This guide walks through that process step by step.


Recognizing the Signs of a Compromised Mailbox

Every investigation begins with identifying why the mailbox is considered suspicious in the first place. While some compromises trigger automated alerts, many are discovered through unusual user reports.

Common indicators include:

  • Emails appearing in the Sent Items folder that the user never sent.
  • Important emails disappearing from the Inbox without explanation.
  • Customers reporting strange replies or unexpected payment requests.
  • Unexpected forwarding rules sending copies of emails to external addresses.
  • Successful sign-ins from countries where the user has never traveled.
  • Multiple failed sign-in attempts followed by a successful login.
  • Unexpected mailbox delegates or permissions.
  • Security alerts generated by Microsoft Defender for Office 365.
  • Suspicious OAuth consent requests.
  • Users reporting MFA prompts they did not initiate.

One indicator alone does not necessarily confirm a compromise. However, several indicators occurring together should immediately trigger an investigation.


Step 1 – Contain the Incident First

Many administrators immediately begin reviewing audit logs while the attacker still has access to the mailbox. This is a common mistake.

Before performing a detailed investigation, reduce the attacker’s ability to continue using the compromised account.

Typical containment actions include:

  • Reset the user’s password.
  • Revoke all active refresh tokens.
  • Force reauthentication.
  • Verify Multi-Factor Authentication is enabled.
  • Temporarily block sign-in if necessary.
  • Remove suspicious sessions.

In Microsoft Entra Admin Center, administrators can revoke all active sessions for the user. This forces every authenticated session—including mobile devices and browsers—to obtain a new authentication token.

If token theft is suspected, revoking sessions should be one of the very first actions.


Step 2 – Review Microsoft Entra Sign-in Logs

After the account has been contained, begin examining authentication activity.

Microsoft Entra sign-in logs often reveal how the attacker gained access.

Focus on questions such as:

  • Did the attacker authenticate successfully?
  • From which country?
  • Which IP address was used?
  • Was MFA successfully completed?
  • Which application was used?
  • Which authentication method was used?
  • Was Conditional Access applied?

When reviewing sign-ins, administrators often focus only on failed logins. In reality, successful sign-ins usually provide much more valuable information.

Pay particular attention to:

Impossible Travel

If the user signs in from London at 9:00 AM and another successful sign-in appears from Brazil fifteen minutes later, this should immediately raise suspicion.

Although VPN usage can occasionally explain these events, impossible travel detections frequently indicate stolen credentials or stolen session tokens.

Authentication Method

Review whether authentication occurred through:

  • Password only
  • Password + MFA
  • Passkey
  • Windows Hello for Business
  • OAuth refresh token
  • Legacy Authentication

Legacy authentication is particularly dangerous because it bypasses many modern security controls.

If successful authentication occurs through IMAP, POP3, or SMTP AUTH when these protocols are not expected, investigate immediately.


Step 3 – Examine Mailbox Audit Logs

Authentication tells you who accessed the mailbox.

Mailbox auditing tells you what they actually did.

Exchange Online enables mailbox auditing by default, making it one of the most valuable forensic resources during an investigation.

Useful activities include:

  • MailItemsAccessed
  • HardDelete
  • SoftDelete
  • MoveToDeletedItems
  • SendAs
  • SendOnBehalf
  • UpdateInboxRules
  • CreateInboxRule
  • FolderBind
  • MailboxLogin

One event deserves particular attention:

MailItemsAccessed

This audit event records when emails are actually accessed.

If a user claims confidential emails were stolen, this event may help determine exactly which messages were viewed by the attacker.

Unlike message trace, mailbox auditing focuses on user interaction rather than message transport.

For organizations handling sensitive information, MailItemsAccessed events are often crucial during forensic investigations.


Step 4 – Investigate Inbox Rules

One of the oldest—and still most effective—techniques used by attackers is creating hidden inbox rules.

Rather than stealing passwords repeatedly, attackers simply allow the mailbox to continue receiving emails while automatically forwarding, hiding, or deleting messages.

Common malicious rules include:

  • Delete messages containing “invoice”
  • Move emails from the finance department
  • Forward every incoming email externally
  • Mark important emails as read
  • Hide MFA verification emails

These rules allow attackers to remain undetected for weeks.

Administrators should review every inbox rule, especially those:

  • Created recently
  • Forwarding messages externally
  • Moving emails to RSS Feeds
  • Moving emails into hidden folders
  • Deleting messages automatically

PowerShell provides a quick way to review mailbox rules:

Get-InboxRule -Mailbox user@contoso.com

Do not assume every forwarding rule is malicious. Some users legitimately create automatic filing rules. Instead, focus on rules that match the timeline of the incident or interact with sensitive communications.


Step 5 – Check Mailbox Forwarding

Inbox rules are only one method attackers use.

Exchange Online also supports mailbox-level forwarding configured by administrators or through Exchange settings.

Unlike inbox rules, mailbox forwarding occurs before messages even reach the user’s Inbox.

Review:

  • SMTP forwarding
  • ForwardingAddress
  • ForwardingSMTPAddress
  • Remote domains
  • Transport rules

PowerShell:

Get-Mailbox user@contoso.com | Format-List Forwarding*

Any unexpected external forwarding address should be investigated immediately.

Attackers frequently configure forwarding to free email providers so they continue receiving sensitive communications even after losing access to the compromised account.


Step 6 – Review Sent Items Carefully

Many investigations focus exclusively on incoming mail.

Experienced investigators know the Sent Items folder often tells a more complete story.

Look for:

  • Messages sent during unusual hours.
  • Emails written in a different tone.
  • Replies containing payment instructions.
  • New external recipients.
  • Large numbers of outbound messages.
  • Automatic replies the user did not configure.

If Microsoft Defender for Office 365 is deployed, correlate these findings with Threat Explorer to determine whether any suspicious outbound emails were detected or blocked.


Step 7 – Use Message Trace to Reconstruct the Timeline

Once mailbox activity has been reviewed, the next step is understanding how email moved through Exchange Online.

Message Trace helps answer questions such as:

  • Was a suspicious email actually delivered?
  • Was it quarantined?
  • Did transport rules modify it?
  • Was it rejected because of SPF, DKIM, or DMARC?
  • Which connector processed the message?
  • How long did delivery take?

Unlike mailbox audit logs, Message Trace focuses on the transport pipeline rather than user activity. Using both sources together allows administrators to build a much more accurate timeline of the incident.

Why Message Trace is critical in mailbox investigations

In real-world incidents, mailbox compromise is rarely just about access. It is often about email flow manipulation.

Attackers may:

  • Send phishing emails that bypass initial spam filtering
  • Use compromised accounts to send internally trusted messages
  • Exploit transport rules to silently modify or redirect mail
  • Trigger delayed delivery patterns to avoid detection windows
  • Abuse trusted connectors in hybrid or third-party integrations

Message Trace helps you reconstruct not just what was received, but what should have been received and what happened in between.

This is especially important in cases of Business Email Compromise (BEC), where timing and delivery paths often reveal the attacker’s behavior.


Where to run Message Trace

You can access Message Trace from:

  • Exchange Admin Center (EAC) → Mail flow → Message trace
  • Or via PowerShell for deeper investigation

Basic PowerShell example:

Get-MessageTrace -SenderAddress user@contoso.com -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date)

For detailed analysis:

Get-MessageTraceDetail -MessageTraceId <ID> -RecipientAddress user@contoso.com

The detailed trace output gives you step-by-step events such as:

  • Submitted
  • Received
  • Delivered
  • Failed
  • Quarantined
  • Redirected
  • Expanded (distribution groups)
  • Transport rule applied

How to interpret Message Trace results

When analyzing a compromised mailbox, do not just look at “Delivered” or “Failed” status.

Instead, focus on the message journey:

1. Delivery path anomalies

If a message was:

  • Delivered unusually fast or slow
  • Routed through unexpected connectors
  • Modified by transport rules

this may indicate either misconfiguration or malicious activity.


2. Transport rule interference

One of the most important indicators in Message Trace is transport rule application.

Attackers (or misconfigured admins) may create rules that:

  • Append text to emails (e.g., “URGENT PAYMENT REQUIRED”)
  • Redirect emails externally
  • Bypass spam filtering
  • Hide warnings from external senders

If Message Trace shows rule application on suspicious messages, you should immediately cross-check:

Get-TransportRule

3. SPF, DKIM, and DMARC failures

Message Trace also helps you identify authentication failures at the email level.

  • SPF failures often indicate spoofed sending sources
  • DKIM failures may indicate message tampering
  • DMARC policy actions (quarantine/reject) show enforcement behavior

In compromised mailbox scenarios, attackers often use internal trust to bypass these controls entirely, so a mix of passed internal mail + failed external mail can be a strong indicator of abuse.


4. Quarantine and Defender actions

If Microsoft Defender for Office 365 is enabled, Message Trace will show whether messages were:

  • Quarantined
  • Blocked as malware/phishing
  • Released by users or admins
  • Held for ZAP (Zero-hour Auto Purge)

This helps determine whether the attack was partially contained automatically before reaching users.


Building the incident timeline

The real power of Message Trace comes when you combine it with:

  • Entra ID Sign-in logs (who accessed the mailbox)
  • Mailbox audit logs (what they did inside)
  • Inbox rules (how messages were manipulated)
  • Defender alerts (what was detected automatically)

Together, these allow you to reconstruct a full timeline:

  1. Initial sign-in from suspicious location
  2. Successful authentication via stolen token or password
  3. Inbox rule creation or modification
  4. Outbound phishing emails sent
  5. Message delivery or quarantine events
  6. Defender detection or user report
  7. Containment actions applied

This timeline is often the difference between a simple password reset incident and a full Business Email Compromise investigation.


Key takeaway

Message Trace is not just a delivery tool—it is a forensic timeline engine for Exchange Online.

When used correctly, it answers the most important question in any mailbox investigation:

“What actually happened to this email, and why?”

If you suspect a mailbox compromise or unusual email activity in your Microsoft 365 tenant, we can help.

We offer a free Microsoft 365 email security assessment to quickly identify risks, misconfigurations, and potential threats across Exchange Online and Entra ID.

Contact TFORTECH to request your assessment.

resources:

Trace an email message in Exchange Online | Microsoft Learn

Mailbox audit logging in Exchange Server | Microsoft Learn

Share This Story, Choose Your Platform!

Leave A Comment