Try this first
- 1Disable the account immediately (block sign-in) if they are already gone. If still employed: do nothing visible until you have advice.
- 2Microsoft 365 Audit Log (Audit Standard has been available in all Business/Enterprise tenants since late 2023 with 180-day retention; 1 year or more requires Audit Premium / E5): search for activities like FileDownloaded, FileSyncDownloadedFull, MailItemsAccessed in the month before departure.
- 3Check OneDrive and SharePoint sharing logs: did they recently share links externally?
- 4For serious cases: preserve the device (laptop, phone) without modifying it. Forensic analysis needs an untouched disk.
When to bring us in
This is not DIY territory. Call us or a lawyer. We do the audit-log investigation and preserve evidence properly; the lawyer handles any legal track.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.