What is the “Microsoft 365” forensic artifact?

Microsoft 365 (M365) artifacts refer to the cloud-generated logs and configuration data from the Microsoft 365 tenant, spanning services like Exchange Online and Entra ID (formerly Azure AD). Unlike traditional disk-based artifacts, these records are retrieved via cloud APIs. This specific artifact collection aggregates critical telemetry including Entra Audit Logs, Message Traces, and configuration states for App Registrations, Service Principals, OAuth Permissions, and both Mailbox and Transport Rules. Together, they form the definitive record of identity, access, and communication flow within an organization’s cloud environment.

From a DFIR perspective, M365 artifacts are the primary source of evidence for investigating Business Email Compromise (BEC) and Account Takeover (ATO). The collection focuses on high-fidelity indicators of compromise. Mailbox and Transport Rules are frequently manipulated by attackers to hide their presence or auto-forward sensitive data to external accounts. Audit Logs and Message Traces allow investigators to reconstruct the timeline of an intrusion, pinpointing the initial unauthorized login and tracking every email sent or received by the compromised account. Furthermore, monitoring OAuth Permissions, App Registrations, and Service Principals is essential for detecting modern “illicit consent” attacks, where attackers bypass MFA and maintain persistence by registering malicious applications or granting excessive permissions to third-party tools.

Collecting, Decoding, and Viewing “Microsoft 365” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have Microsoft 365 delivered in the browser, alongside an executive summary and timeline of findings.