Microsoft 365 Security Monitoring: Detecting Threats in M365 and Azure AD
Microsoft 365 is the most widely deployed enterprise productivity suite and the most targeted by attackers, making M365 security monitoring a top priority for any organization running on the platform. This guide covers the native logging and detection services to enable first, the four highest-impact attack patterns to monitor for — led by Business Email Compromise — and the Conditional Access controls that prevent most account takeover scenarios before they start.
- The Unified Audit Log is not enabled by default on all tenants and must be turned on explicitly in the Compliance Center.
- Business Email Compromise via malicious inbox rules remains the #1 financial fraud vector tied to M365 compromise.
- Blocking legacy authentication protocols (IMAP, POP3, SMTP AUTH) closes one of the most common MFA-bypass paths into M365.
- OAuth application consent phishing grants attackers persistent access without ever needing a password.
Microsoft 365 is the most widely deployed enterprise productivity suite and the most targeted by attackers. Business Email Compromise (BEC), phishing via compromised accounts, and OAuth app abuse via M365 are top enterprise attack vectors. Effective M365 security monitoring requires both enabling the right logging and having an investigation layer that makes those logs actionable.
Background: M365's Shared Responsibility Model
Microsoft secures the underlying infrastructure, datacenters, and platform availability of Microsoft 365 — but detecting misuse of a legitimately authenticated session is the customer's responsibility under the shared responsibility model. That distinction matters because most damaging M365 incidents, including the BEC wave that intensified through the early 2020s, don't involve breaking Microsoft's infrastructure at all. They involve an attacker obtaining valid credentials or an OAuth grant and then operating inside M365 exactly like a legitimate user would. As Microsoft has layered in native tools — Defender for Office 365, Azure AD Conditional Access, Identity Protection — the practical bottleneck has shifted from "is the right tool available" to "is it enabled, tuned, and actually monitored."
M365 security monitoring requires enabling Unified Audit Log, Defender for Office 365, Azure AD sign-in logs, and Microsoft 365 Defender. The highest-priority threat patterns: Business Email Compromise (inbox rules hiding emails), OAuth app consent abuse, impossible travel logins, and mailbox delegation changes.
Enable These M365 Security Services First
Unified Audit Log
The Unified Audit Log captures activity across Exchange Online, SharePoint, OneDrive, Teams, and Azure AD. It must be explicitly enabled (it's not on by default for all tenants). Enable it in the Microsoft 365 Compliance Center and increase retention from 90 days to the maximum your license allows (up to 1 year on E3, 10 years on E5 Compliance).
Microsoft Defender for Office 365
Defender for Office 365 (Plan 1 and Plan 2) adds threat protection for email, links, and attachments. Plan 2 adds Attack Simulator, Threat Explorer, and automated investigation. Enable Safe Attachments, Safe Links, and anti-phishing policies at minimum.
Azure AD Sign-In Logs
Azure AD sign-in logs record every authentication to M365 and Azure-integrated applications. Stream these to a SIEM or AI SOC platform for monitoring. Key log types: Interactive sign-ins, Non-interactive sign-ins (service accounts), Service principal sign-ins, Managed identity sign-ins.
The Most Critical M365 Attack Patterns
1. Business Email Compromise (BEC)
BEC is the #1 financial fraud vector involving M365. Attackers compromise an email account and create inbox rules to hide email trails and intercept financial communications. Detection signals: new inbox rules created (especially ones that forward externally or delete messages), changes to email delegation, unusual access to finance-related mailboxes.
Case study scenario: A 90-employee manufacturing firm has its accounts-payable manager's M365 credentials compromised through a password-spray attack that succeeds on the 14th attempt. The attacker logs in during business hours to avoid impossible-travel detection, then creates a hidden inbox rule that forwards any email containing "invoice" or "wire transfer" to an external address and deletes the forwarded copy from the inbox. Three days later, the attacker emails a vendor's actual contact requesting a routing-number change on an upcoming $85,000 payment. Unified Audit Log monitoring flags the new inbox rule's auto-delete-and-forward pattern within minutes of creation, well before the fraudulent wire instruction goes out.
2. OAuth Application Consent Phishing
Attackers register malicious Azure AD applications and trick users into granting them access to M365 data. Once consented, the app has persistent access without needing credentials. Detection signals: new OAuth application consent events (especially for applications with broad permissions like Mail.ReadWrite), consent events from unknown application publishers.
3. Account Takeover via Password Spray
Attackers spray common passwords against M365 login endpoints. Detection signals: multiple failed authentication attempts across many accounts from shared infrastructure, successful login from new IP/country/device immediately following failures.
4. Mailbox Data Exfiltration
Post-compromise, attackers access and export mailbox content. Detection signals: search-mailbox PowerShell commands, new eDiscovery cases, large-volume mailbox export activity, ContentSearch operations from unexpected users.
Azure AD Conditional Access: Your Best Preventive Control
Properly configured Azure AD Conditional Access policies block most M365 account takeover scenarios:
- Require MFA for all users (no exceptions, including service accounts where possible)
- Block legacy authentication protocols (IMAP, POP3, SMTP AUTH) — these bypass MFA
- Require compliant devices for sensitive data access
- Block access from anonymous proxy services
- Require MFA when sign-in risk is Medium or High (Azure AD Identity Protection)
M365 Attack Patterns at a Glance
| Attack Pattern | Primary Detection Signal | Severity |
|---|---|---|
| Business Email Compromise | New inbox rule forwarding/deleting mail | CRITICAL |
| OAuth consent phishing | Consent grant to unfamiliar publisher | HIGH |
| Password spray | Distributed failed logins, then a success | HIGH |
| Mailbox data exfiltration | eDiscovery/search-mailbox by unexpected user | HIGH |
Because M365 and Azure AD rarely operate in isolation, correlating sign-in and audit log anomalies with identity provider activity closes detection gaps — see our identity and access management security guide for how authentication-layer monitoring complements M365-specific controls. Organizations running Google Workspace alongside M365 (common during M&A or hybrid environments) should also review our Google Workspace security guide for parallel detection patterns.
- Unified Audit Log is enabled and retention is increased beyond the 90-day default
- Defender for Office 365 Safe Links, Safe Attachments, and anti-phishing policies are active
- Azure AD Conditional Access blocks legacy authentication protocols (IMAP/POP3/SMTP AUTH)
- Alerts fire on new inbox rules that forward externally or auto-delete messages
- OAuth app consent events are reviewed for unfamiliar publishers and broad permission scopes
Frequently Asked Questions
Detect M365 Threats Automatically
ZonForge Sentinel monitors Microsoft 365 and Azure AD, investigating every anomaly in under 60 seconds.