What causes Suspected breach — unusual activity, no smoking gun yet?

Credential compromise via phishing / infostealer / leaked password • OAuth consent grant abuse (illicit consent) • Compromised privileged account being used quietly • Adversary-in-the-middle session token theft (post-MFA)

How do I resolve Suspected breach — unusual activity, no smoking gun yet?

Triage quickly without contaminating evidence • If confirmed compromise: pivot to ransomware/incident playbook • If false alarm: document, tighten detection, communicate findings

How do I prevent Suspected breach — unusual activity, no smoking gun yet?

MFA — phishing-resistant (FIDO2) for privileged accounts • Continuous access evaluation (CAE) enabled in Entra • Mailbox auditing on, and reviewed • OAuth app governance (admin consent workflow) • User training quarterly on phishing patterns

P1 · Cyber Incident Response

Suspected breach — unusual activity, no smoking gun yet

Indicators of compromise without confirmed impact: anomalous logins, unfamiliar processes, antivirus quiet. Triage before escalation; preserve evidence either way.

Indicators

Sign-ins from unfamiliar countries or impossible-travel events
New mailbox forwarding rules created without user awareness
MFA prompts users didn't initiate
EDR alerts cleared but recurrent
Antivirus disabled on a server — without authorised change

Likely causes

Credential compromise via phishing / infostealer / leaked password
OAuth consent grant abuse (illicit consent)
Compromised privileged account being used quietly
Adversary-in-the-middle session token theft (post-MFA)

Diagnostic steps

Pull Entra Sign-in logs — filter by the suspect user/account, look at IP, app, location, conditional access result
Audit log: Get-MailboxRule, Get-InboxRule for forwarding / external rules across the tenant
Review consented OAuth apps — Get-AzureADUserOAuth2PermissionGrant, audit risky permissions (Mail.Read, full_access_as_app)
On endpoints: Autoruns, ProcMon, Sigcheck for unsigned/recent additions; EDR retroactive search for IOCs
Compare MFA registration / device list per user — any unrecognised additions?
Decision point: contained low-risk anomaly, or escalate to full IR? Err toward escalation

Resolution path

Triage quickly without contaminating evidence
If confirmed compromise: pivot to ransomware/incident playbook
If false alarm: document, tighten detection, communicate findings

Prevention

MFA — phishing-resistant (FIDO2) for privileged accounts
Continuous access evaluation (CAE) enabled in Entra
Mailbox auditing on, and reviewed
OAuth app governance (admin consent workflow)
User training quarterly on phishing patterns

Tools

Entra Sign-in / Audit logs
Microsoft Graph / Defender XDR advanced hunting
PowerShell ExchangeOnlineManagement / MicrosoftGraph for forensic queries
Sysinternals — Autoruns, ProcMon, Sigcheck
EDR retroactive hunting

References

MITRE ATT&CK — Tactic / Technique reference
Microsoft — Detect and remediate illicit consent grants
NCSC — Logging Made Easy

incident-responsebreachforensicsentraauditphishing