# SOC Casefile: Microsoft 365 Account Compromise Investigation.

# Introduction.

A SOC investigation following a compromised user typically takes between 45 minutes and 3 hours, depending on the volume of user activity, the quality of available audit data, the complexity of the attacker’s behaviour and whether any signs of exfiltration or mailbox manipulation require deeper analysis.

Straightforward cases involving a single suspicious sign-in and minimal follow-on activity usually sit at the lower end of that range, while incidents involving large-scale data access, unusual file-sharing behaviour or signs of targeted exfiltration take longer because they raise concerns around compliance, data sensitivity, regulatory obligations and potential security impact.

---

# Initial Alert & Triage.

---

# Containment and Identity Recovery.

---

# Sign-In Timeline Reconstruction.

---

# Mailbox and Exchange Online Forensics.

---

# SharePoint, OneDrive, and Exfiltration Overview.

---

# OAuth Application and Token Misuse Assessment.

---

# Defender Signals and Endpoint Correlation.

---

# Impact Assessment and Compliance Review.

---

# Remediation, Hardening and Closure.

---
