< Back to Blog
Incident Response

Why Microsoft 365 Account Takeovers Go Undetected for Weeks

April 14, 2026

Most businesses assume that if someone broke into their Microsoft 365 environment, they would know about it. An alert would fire. Something would look wrong. The reality is far more uncomfortable. Attackers routinely operate inside Microsoft 365 environments for weeks, sometimes months, without triggering a single notification.

Attackers Do Not Break In. They Log In.

The most common entry point for a Microsoft 365 account takeover is not a sophisticated exploit or zero-day vulnerability. It is a stolen password. Through phishing emails, credential stuffing attacks, or data from previous breaches, attackers obtain valid usernames and passwords. Once they have those credentials, they log in exactly like the real user would. From Microsoft's perspective, nothing looks wrong.

This is the fundamental problem. Traditional security thinking assumes attackers have to force their way in. Modern identity-based attacks do not work that way. The attacker is already authenticated before anyone realizes there is a problem.

The First Thing Attackers Do: Hide

Once inside, a skilled attacker does not immediately steal data or send fraudulent emails. That would trigger alerts and get them caught. Instead, they spend time understanding the environment and building persistence. The most common technique is creating hidden inbox rules.

An inbox rule can be set up in seconds and is invisible to the average user. The attacker creates a rule that automatically moves, deletes, or forwards specific emails based on keywords. Common keywords include terms like "invoice," "payment," "wire transfer," "ACH," or the names of specific contacts or vendors. Incoming emails matching those keywords get silently redirected before the account owner ever sees them.

This gives the attacker two advantages. First, they can monitor sensitive communications without anyone knowing. Second, when they eventually send fraudulent emails or intercept payment conversations, the real account owner never receives the replies that might tip them off.

Why Defender Does Not Always Catch It

Microsoft Defender for Office 365 is a capable tool. It scans for known malware, flags suspicious links, and can detect some phishing attempts. What it does not do well on its own is identify behavioral anomalies that unfold slowly over time.

An attacker logging in from a new IP address after previously logging in from Connecticut is suspicious. But if that sign-in happens once and does not match a known malicious IP, Defender may not flag it. An inbox rule created at 2am by an account that has never created inbox rules before is suspicious. But without someone actively monitoring audit logs and correlating that activity with sign-in behavior, that rule sits undetected.

Defender generates alerts. It does not investigate them, correlate them, or respond to them. That requires a human being looking at the right data at the right time.

The Dwell Time Problem

In two separate incidents we responded to involving Connecticut professional services firms, the attackers had been inside the environment for 23 days and 30 days respectively before detection. During that time they read emails, learned the business, identified financial relationships, and positioned themselves to commit fraud. In both cases the eventual discovery came not from an automated alert but from an external party noticing something wrong.

This is not unusual. Industry data consistently shows that the average dwell time for attackers in a compromised environment is measured in weeks, not hours. Every day an attacker remains undetected is another day they are learning, positioning, and preparing.

The Signs That Should Trigger Investigation

There are specific indicators that an account takeover may be in progress or may have already occurred:

  • Sign-ins from geographically impossible locations in short timeframes
  • Sign-ins from unfamiliar ISPs or countries
  • Inbox rules created outside of business hours or by accounts that have never created rules before
  • Changes to MFA methods or registered devices
  • Emails sent from an account that the account owner has no memory of sending

None of these individually confirms a compromise. All of them warrant immediate investigation.

What Actually Stops This

Stopping account takeovers before they cause damage requires three things working together. First, Conditional Access policies that restrict sign-ins based on location, device compliance, and risk level. An attacker with valid credentials logging in from an unknown device in a foreign country should be blocked automatically, not just flagged. Second, continuous monitoring of audit logs with alerts configured for inbox rule creation, forwarding rule changes, and anomalous sign-in patterns. Third, a human being who knows what they are looking at and can respond when something fires.

The companies that catch account takeovers early are not necessarily the ones with the most expensive tools. They are the ones with someone actively watching the environment and empowered to act immediately when something looks wrong.

If you do not know whether your Microsoft 365 environment has hidden inbox rules right now, that is worth finding out before an attacker uses one against you.

Need help securing your environment?

Book a free 30-minute consultation. We will assess your Microsoft 365 environment and tell you where the gaps are.

Book Free Consultation