SOC Casefile: Microsoft 365 Account Compromise Investigation.
A complete analysis of a compromised identity in Microsoft 365, covering key tactics, techniques, and procedures.
Introduction.
A SOC investigation following a compromised user typically takes between 45 minutes and 3 hours, depending on the volume of user activity, the quality of available audit data, the complexity of the attacker’s behaviour and whether any signs of exfiltration or mailbox manipulation require deeper analysis.
Straightforward cases involving a single suspicious sign-in and minimal follow-on activity usually sit at the lower end of that range, while incidents involving large-scale data access, unusual file-sharing behaviour or signs of targeted exfiltration take longer because they raise concerns around compliance, data sensitivity, regulatory obligations and potential security impact.
