Try this first
- 1Inbox rules into suspicious folders: EmailEvents joined with EmailUrlInfo, or via OfficeActivity where Operation == 'New-InboxRule' and Parameters contain Move to Deleted Items, Junk Email, RSS Feeds, or a single-letter folder.
- 2Mass downloads from SharePoint or OneDrive: CloudAppEvents where ActionType == 'FileDownloaded' and per-user-per-hour count above baseline (start at 100).
- 3Sign-ins from countries you do not operate in: SigninLogs where Location is outside your expected set and ResultType == 0 (success). Filter out break-glass accounts.
- 4New OAuth app consents: AuditLogs where OperationName == 'Consent to application'. A user granting access to an unknown app is an early signal of token theft.
- 5Unexpected PowerShell on endpoints: DeviceProcessEvents where FileName == 'powershell.exe' and CommandLine contains IEX, DownloadString, or -enc. Lots of false positives, but it teaches you what normal looks like.
When to bring us in
If a query result is unexplained after an hour, treat it as an incident. Better an accidental Friday afternoon spent than missing a real attack because the PowerShell call looked weird but innocent.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.