Office 365: Compromised Account Review with Audit Log

Reading Time: 4 minutes


Imagine this scenario that System Administrators are more commonly being faced with: An end user forwards along an e-mail inquiring about its legitimacy. The e-mail contains a link to a webpage that appears to be the Office 365 login page. The Administrator does his due diligence and determines the message to be malicious in origin. They found the link to be a spoof of the Office 365 login page, designed to provide any input credentials directly to an attacker.

Luckily, the end user claims they either did not access the link within the malicious message, or they did but did not proceed to input their credentials. No harm done right? If the claim is true, then yes, the user’s account should not be compromised, but this still leaves the ever-cautious Administrator uneasy. How can they be certain the account is secure? One method is to use the Office 365 audit log.

Enabling the Office 365 Audit Log

First, you will need to make sure you have the Audit log enabled:

  1. Access the Security & Compliance Center from your Office 365 Admin portal.
  2. Expand Search & Investigation on the right side-bar and select Audit log search.
  3. If you’ve not yet enabled the Audit log, you will see a link stating Start recording user and admin activities, click this to enable the log.

Using the Office 365 Audit Log to Verify Account Security

Now that you have enabled the audit log, you can use the next set of steps to review an account and identify IP addresses used to recently login. Any activity prior to enabling the log will not be available.

  1. Under the Search parameters, input a user account in question. If you begin typing their name in the Users field, you will receive a drop down to select from. Adjust the date range as needed. Leave the Activities option as the default, to see all activities.
  2. Click the Search button to initiate a search. Depending on the date range, it may take a few minutes to return the results to the right.
  3. Under the Results section, click the Activity header to sort results by the activity type. The activity we are looking for is UserLoggedIn.
  4. We now will see all the recent login activity, and the IP address the login was initiated from.
  5. You can run this IP against one of the many free IP lookup services available to return things like ISP and Geolocation.

Using the above steps, you can review the account in question to see if it has been accessed from any unanticipated locations. You’ll need to keep in mind that attackers can mask their location using services such as a VPN. In my experience, with the type of attack that was initially outlined, this is rarely done. If the account is compromised, you can usually find a foreign IP that the account was accessed from that coordinates with the time the malicious e-mail was received.

These types of attacks are typically an automated process running off a compromised web server. When credentials are received they are automatically tested for legitimacy by a script that attempts a login to Office 365. If valid they are logged and later used to manually carry out an attack. If caught in time you can possibly prevent any damage, beyond the initial login test, from being done. Of course, even if nothing malicious is found during your review, it is best practice to proceed with changing the user’s password just to be safe.

The audit log has many other uses for Systems Administrators, including the ability to set up custom alerting policies. Some of these other uses will be discussed in future posts. In the meantime, you can read more about it in Microsoft’s documentation.

Need help maximizing your Office 365 solution? With nearly a thousand Office 365 clients and hundreds of cloud migrations under our belt, we have the knowledge and expertise to help. Let’s chat.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.


Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

Latest Insights

About The Author