Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.

Contact us
/en/services/cyber-risk/incident-response-litigation-support/office-365-security-forensics service

When it comes to Microsoft Office 365 security, relying on a cybersecurity generalist is like a sailor using a compass to navigate safely through unknown waters and treacherous shoals. If you run O365 now, or are thinking of making the move, know that Kroll specialists work extensively within the O365 environment every day. 

We investigate and solve problems for clients around the world, discovering new hazards and navigating known risks. You can rely on our cumulative and ever–expanding O365 security knowledge to help guide you in proactive ways to better safeguard data, especially as O365 continues to evolve, both in security offerings and option controls.


Diverse O365 Investigations Inform Proven Forensics Methodology

Kroll’s forensic specialists have spent years investigating O365 security incidents of all sizes, types and complexity. These include business phishing attacks, email compromises, insider threats, compromise of privileged accounts, SMTP relay attacks, etc.

Our experts’ unique experience not only informs Kroll’s robust forensic methodology, but also primes our approach with the agility to recognize and respond to new forms of cyberattacks.

Our investigations deliver actionable information by reconstructing a detailed timeline of a bad actor’s activity in your environment:

  • Identifying search terms the actor ran and the messages that may have been viewed as a result of those search terms
  • Isolating mail client vs. web browser–based access
  • Identifying and compiling emails auto–forwarded by unauthorized mail rules
  • Looking across an entire O365 tenant to identify other suspicious/unauthorized access, including OneDrive and SharePoint file access
  • If available, we will also run original phishing campaign discovery and analysis


O365 Security Incident Forensic Methodology

Kroll’s forensics methodology for O365 security incidents is structured and implemented in three broad phases. Each phase is customizable for your needs and goals. The team routinely works with counsel and cyber insurance providers, and can provide support remotely, onsite or in combination. Our findings ultimately also help with decision–making around notification efforts, including defensible communications to regulators.

Note: The following is a high–level overview of Kroll’s methodology. Contact Kroll for complete scope of activities.

Office 365 Security, Forensics and Incident Response

Phase 1 – Explore and Map Cyber Event Details and Scope

  • Collect, preserve and analyze relevant available O365 data to determine timeline of events and unauthorized access 
  • Analyze relevant data across all Office 365 accounts for indicators of compromise and scope of risk enterprise–wide
  • If relevant, identify and enumerate messages that were auto–forwarded outside of client’s tenant and may be at–risk of unauthorized access
  • Share indicators of compromise identified and collected by Kroll with client to further protect client’s infrastructure
  • Share findings in verbal presentation and report format as requested by counsel and client
Office 365 Security, Forensics and Incident Response
Office 365 Security, Forensics and Incident Response

Phase 2 – Sensitive Data Processing and Review

  • Employ various search techniques to attempt to identify files that are likely to contain sensitive data (as defined by counsel/client)
  • Use advanced analytics to assist in identifying files that do not require review for sensitive data and perform statistically valid sampling to verify the results
  • Review files found to contain sensitive data that need to be manually reviewed; perform manual review
  • Deliver findings of sensitive data processing/review to counsel/client
Office 365 Security, Forensics and Incident Response
Office 365 Security, Forensics and Incident Response

Phase 3 – Notification Assistance

  • Help client and their legal counsel draft compliant notification letters
  • Standardize, scrub and deduplicate mailing list; cross–reference against National Change of Address database
  • Provide comprehensive reports that demonstrate and document client put forth best effort to notify
  • Set up and implement call center, supported by data breach/identity theft experts, including access to licensed investigators
Office 365 Security, Forensics and Incident Response

Proactively Fortify O365 Email Security With Kroll’s Unique Frontline Insight

Organizations that have deployed O365 are often unaware they can directly improve data security, including their ability to recover after an incident. Kroll offers practical guidance that focuses on the entire email kill chain, including O365 configuration, phishing prevention, workstation defenses and end–user awareness. Our goal is to provide you with a prioritized set of specific recommendations to help manage the email security program.


O365 Email Security Assessment 

Goal: Identify material gaps or significant shortcomings in the organization's email security defenses. 

Process: Kroll experts remotely review email security defenses with a focus on identifying proactive measures and controls. 


  • Security settings to restrict unauthorized access
  • User activity logging and auditing configurations to aid investigative efforts
  • Email filtering options and configurations in place to prevent phishing attacks and malicious payload delivery
  • Email access protocols
  • Secure message communications
  • Azure Active Directory Security Configuration
  • Intune Mobile Device Management


O365 Email Secondary Defenses Assessment

Goal: Assess the secondary defensive measures in place to protect the organization against email–based attacks.

Process: Kroll experts conduct interviews with a cross–section of employees and functional areas.


  • Workstation controls
  • Employee Awareness
  • Incident Response
  • Business processes related to email authorization of payments
  • Phishing campaign to gauge employee awareness and effectiveness of controls


O365 is a Dynamic Environment. Is Your Security Keeping Up?

Office 365 is continually introducing new features and retiring older capabilities. You can count on Kroll’s O365 security specialists to be there on the leading edge, able to guide you through challenges and harden security throughout the environment.

In fact, Kroll has you covered end–to–end when it comes to incident response, including our powerful CyberDetectER. Speak with one of our O365 security specialists today to learn about all our capabilities. 

Talk to a Kroll Expert

Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page. 

Related Team

Connect with us

Pierson Clair
Pierson Clair
Managing Director
Cyber Risk
Los Angeles
Steve Scarince
Steve Scarince
Associate Managing Director
Cyber Risk
Los Angeles

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Middle Market M&A, Strategic Advisory, Debt Advisory and Private Capital Markets, Restructuring and Insolvency Services, Financial Due Diligence, Fairness Opinions, Solvency Opinions and ESOP/ERISA Advisory.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation, disputes and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


New M365 Business Email Compromise Attacks with Rclone

Oct 07, 2022

by Jamie Vendel, Samuel Smoker

The Monitor

The Rise of Vishing and Smishing Attacks – The Monitor, Issue 21

Aug 02, 2022

by Laurie Iacono Josh Hickman, Caitlin Muniz


Webcast Replay – Q1 2022 – Threat Landscape Virtual Briefing: Threat Actors Target Email for Access and Extortion

May 18, 2022

Webcast Replay

Q4 2021 Threat Landscape Virtual Briefing: Software Exploits Abound

Feb 25, 2022

Press Release

Kroll Responder Recognized in 2023 Gartner Market Guide for Managed Detection and Response Services for the Third Consecutive Year

Mar 23, 2023


Kroll Launches Cyber Partner Program Delivering Lifetime Returns

Feb 28, 2023


Kroll Named an MDR “Champion” by Bloor Research

Feb 27, 2023

Press Release

Gartner Names Kroll a Representative Vendor for Managed Security Incident and Event Management

Jan 09, 2023


Kroll at RSA Conference 2023

Conference Conference Apr 24 - Apr 27, 2023 | Conference


KAPE Intensive Training and Certification

Online Event Online Event Apr 13 - Dec 07, 2023 | Online Event