Microsoft 365 Security Monitoring: Detecting Threats in M365 and Azure AD

Microsoft 365 is the most widely deployed enterprise productivity suite and the most targeted by attackers. Business Email Compromise (BEC), phishing via compromised accounts, and OAuth app abuse via M365 are top enterprise attack vectors. Effective M365 security monitoring requires both enabling the right logging and having an investigation layer that makes those logs actionable.

Enable These M365 Security Services First

Unified Audit Log

The Unified Audit Log captures activity across Exchange Online, SharePoint, OneDrive, Teams, and Azure AD. It must be explicitly enabled (it's not on by default for all tenants). Enable it in the Microsoft 365 Compliance Center and increase retention from 90 days to the maximum your license allows (up to 1 year on E3, 10 years on E5 Compliance).

Microsoft Defender for Office 365

Defender for Office 365 (Plan 1 and Plan 2) adds threat protection for email, links, and attachments. Plan 2 adds Attack Simulator, Threat Explorer, and automated investigation. Enable Safe Attachments, Safe Links, and anti-phishing policies at minimum.

Azure AD Sign-In Logs

Azure AD sign-in logs record every authentication to M365 and Azure-integrated applications. Stream these to a SIEM or AI SOC platform for monitoring. Key log types: Interactive sign-ins, Non-interactive sign-ins (service accounts), Service principal sign-ins, Managed identity sign-ins.

The Most Critical M365 Attack Patterns

1. Business Email Compromise (BEC)

BEC is the #1 financial fraud vector involving M365. Attackers compromise an email account and create inbox rules to hide email trails and intercept financial communications. Detection signals: new inbox rules created (especially ones that forward externally or delete messages), changes to email delegation, unusual access to finance-related mailboxes.

2. OAuth Application Consent Phishing

Attackers register malicious Azure AD applications and trick users into granting them access to M365 data. Once consented, the app has persistent access without needing credentials. Detection signals: new OAuth application consent events (especially for applications with broad permissions like Mail.ReadWrite), consent events from unknown application publishers.

3. Account Takeover via Password Spray

Attackers spray common passwords against M365 login endpoints. Detection signals: multiple failed authentication attempts across many accounts from shared infrastructure, successful login from new IP/country/device immediately following failures.

4. Mailbox Data Exfiltration

Post-compromise, attackers access and export mailbox content. Detection signals: search-mailbox PowerShell commands, new eDiscovery cases, large-volume mailbox export activity, ContentSearch operations from unexpected users.

Azure AD Conditional Access: Your Best Preventive Control

Properly configured Azure AD Conditional Access policies block most M365 account takeover scenarios:

• Require MFA for all users (no exceptions, including service accounts where possible)
• Block legacy authentication protocols (IMAP, POP3, SMTP AUTH) — these bypass MFA
• Require compliant devices for sensitive data access
• Block access from anonymous proxy services
• Require MFA when sign-in risk is Medium or High (Azure AD Identity Protection)

Frequently Asked Questions