fatcousin
// first 10 minutes

cloud account compromise (M365 / Workspace) — quick-start

cloud account compromise — first 10 minutes. revoke consent, pull audit logs now. print this, check boxes, then run the primary tools.

checklist

  1. list all third-party OAuth apps with delegated permissions in the tenant.
  2. revoke any app not on the known-good list — assume consent is the attack vector.
  3. export unified audit log — 30 days minimum, pull now before retention rolls.
  4. export Azure AD / Entra sign-in logs — consent clicks and app sign-ins live here.
  5. export Azure AD audit log — consent grant and revocation proof.
  6. export OAuth2PermissionGrant records — scopes tell you what was possible.
  7. identify affected users from MailItemsAccessed and FileAccessed events in UAL.
  8. force password reset and invalidate refresh tokens for all affected users.
  9. disable user consent for non-verified publishers tenant-wide — stop the bleeding.
  10. begin the primary tool path below.

primary tools

  1. 01office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  2. 02microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  3. 03o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  4. 04azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
  5. 05saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  6. 06microsoft defender cloud apps alert forensic analyzerdrop defender cloud apps alert export · parse app + user + risk · runs locally
  7. 07fatcousin saas audit export correlatordrop saas audit log csv exports · actor + resource cross-service timeline · runs locally
  8. 08microsoft account activity export forensic analyzerdrop microsoft account activity export · parse sign-in events · flag failed login mfa changes · csv/json export · runs locally

go deeper

methodology →proof · hartmann-cloud-compromisecase type tools →
ready