fatcousin
// case comparison

cloud ATO vs ATO

both surface in identity and mailbox logs — cloud compromise is tenant-scoped OAuth and policy abuse; ATO is single-account credential takeover.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

cloud account compromise (M365 / Workspace)

tenant-level intrusion — OAuth grants, app consent abuse, mailbox rule planting, exchange transport rule tampering.

  1. 01office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  2. 02microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  3. 03o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  4. 04azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
  5. 05saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  6. 06microsoft defender cloud apps alert forensic analyzerdrop defender cloud apps alert export · parse app + user + risk · runs locally
  7. 07fatcousin saas audit export correlatordrop saas audit log csv exports · actor + resource cross-service timeline · runs locally
  8. 08microsoft account activity export forensic analyzerdrop microsoft account activity export · parse sign-in events · flag failed login mfa changes · csv/json export · runs locally
case b

account takeover (ATO)

credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.

  1. 01okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  2. 02o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  3. 03office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  4. 04microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  5. 05mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally
  6. 06password spray & brute force detectordrop security evtx csv · analyze authentication failure patterns · detect low-and-slow password spray · high-speed brute force · credential stuffing patterns · flag attacker ips · runs locally
  7. 07credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
  8. 08sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally

editorial overlap

8 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatormail rule parsermicrosoft entra conditional access log forensic analyzermicrosoft 365 unified audit log analyzero365 audit log parseroffice365 audit log analyzerzero trust access anomaly correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward cloud ATO if you see…

  • OAuth grant or third-party app consent at tenant scope
  • exchange transport rule or tenant-wide mail policy tampering
  • azure or M365 activity log anomalies spanning multiple accounts

lean toward ATO if you see…

  • single-user credential stuffing or password spray in IdP logs
  • SIM swap or MFA bypass targeting one identity
  • session takeover without tenant-wide OAuth or transport-rule abuse
ready