Why Microsoft 365 Account Takeovers Go Undetected for Weeks

Introduction

Many businesses believe a Microsoft 365 breach will be obvious. They expect a locked account, a malware alert, or a clear warning that something is wrong.

That is not how most account takeovers work.

In many cases, the attacker logs in with valid credentials, passes or bypasses MFA, and then blends into normal business activity. From the outside, the account still looks like a real employee using email, SharePoint, OneDrive, Teams, and Microsoft 365 admin features.

This is why Microsoft 365 account takeovers can go undetected for days or even weeks. The attacker is not always breaking the door down. Sometimes they are already inside, quietly reading emails, learning payment processes, and waiting for the right moment.

Valid Credentials Do Not Look Like Malware

Traditional security tools are good at finding malicious files, suspicious executables, and known malware behavior. Account takeover activity is different because the attacker is using a real username and password.

That means the activity may look legitimate at first glance:

• A successful login
• Email access through Outlook Web App
• Mailbox searches
• Teams or SharePoint access
• Inbox rule changes
• File downloads from OneDrive

None of these actions are automatically malicious by themselves. The risk comes from the pattern, timing, location, device, and intent behind the activity.

Attackers Know How to Stay Quiet

Once attackers gain access, they usually do not immediately send obvious spam or trigger noisy alerts. The smarter move is to observe.

They review email threads, identify vendors, study invoice language, search for wire transfer terms, and learn who has approval authority. In professional services firms, this can be extremely damaging because email often contains client files, payment instructions, legal communication, tax records, and confidential business details.

Attackers may search for terms like:

• Invoice
• Wire
• Payment
• ACH
• Bank
• Closing
• Retainer
• Tax return

This discovery phase is quiet. If nobody is monitoring mailbox activity, risky sign-ins, external forwarding, or inbox rule creation, the attacker may remain invisible until money is redirected or sensitive data is exposed.

Inbox Rules Hide the Attack

One of the most common persistence techniques in Microsoft 365 account takeovers is the creation of malicious inbox rules.

Attackers use these rules to automatically move, delete, forward, or hide important emails. This lets them suppress security warnings, hide conversations from the real user, and control communication around payments or account recovery.

Examples include rules that:

• Move emails containing “invoice” or “payment” to an obscure folder
• Delete MFA or security notification emails
• Forward messages to an outside account
• Mark important messages as read
• Hide replies from banks, clients, or vendors

To the user, it may look like emails are missing or conversations have gone quiet. To the attacker, the mailbox is now a control point.

MFA Does Not Always Mean the Account Is Safe

MFA is important, but it is not a complete security strategy by itself. Attackers continue to bypass MFA through phishing kits, token theft, consent phishing, push fatigue, and stolen session cookies.

If an attacker steals a valid session token, they may not need to approve another MFA prompt. This is why simply resetting the password may not fully remove access unless active sessions are revoked and authentication methods are reviewed.

A real response should include more than a password reset. It should include session revocation, MFA method review, sign-in log analysis, mailbox rule review, forwarding checks, application permission review, and endpoint inspection where appropriate.

Why Small Businesses Miss the Warning Signs

Most small and mid-sized businesses are not ignoring security because they do not care. They miss account takeovers because the signals are spread across multiple places.

The warning signs may exist in:

• Microsoft Entra ID sign-in logs
• Microsoft 365 audit logs
• Exchange mailbox rules
• Defender alerts
• Endpoint activity
• Email security logs
• User-reported suspicious activity

Without a defined incident response process, these clues are easy to miss. One person may notice an MFA prompt. Another may notice missing emails. Another may see a strange login. But nobody connects the dots until the damage is done.

Signs an Account Takeover May Be Active

Businesses should take the following signs seriously:

• Successful logins from unusual countries, regions, VPN providers, or unfamiliar IP addresses
• Multiple failed logins followed by a successful login
• New MFA methods added to an account
• Unexpected MFA prompts reported by a user
• New inbox rules, especially rules that delete, move, or forward emails
• External forwarding enabled on a mailbox
• Suspicious OAuth applications or delegated permissions
• Unusual mailbox access outside normal working hours
• Emails sent from a real employee that do not match their normal writing style

How to Reduce Dwell Time

The goal is not just to prevent account takeovers. The goal is to detect and contain them quickly when they happen.

Monitor sign-ins continuously

Review risky sign-ins, impossible travel, unfamiliar locations, legacy authentication, and repeated failed login attempts followed by success.

Alert on inbox rule creation

New inbox rules should be monitored, especially rules that forward externally, delete messages, mark messages as read, or move messages based on payment-related keywords.

Block external forwarding

External forwarding should be disabled by default unless there is a documented business reason.

Use phishing-resistant MFA where possible

Number matching is better than simple push approval, but phishing-resistant MFA methods such as FIDO2 security keys provide stronger protection for high-risk users and administrators.

Limit admin privileges

Reduce the number of global administrators and require stronger access controls for privileged users.

Have an incident response process before the incident

Businesses need a documented process for disabling accounts, revoking sessions, preserving evidence, reviewing audit logs, removing persistence, and communicating with affected users.

What to Do If You Suspect a Microsoft 365 Account Takeover

If you believe an account has been compromised, do not rely on a password reset alone.

At minimum, the response should include:

• Disable or temporarily block the account
• Revoke active sessions and refresh tokens
• Reset the password
• Review and remove suspicious MFA methods
• Review sign-in logs and audit logs
• Check inbox rules and forwarding settings
• Review sent items, deleted items, and mailbox access
• Look for suspicious OAuth applications
• Identify whether data was accessed or exfiltrated
• Preserve evidence before making major changes where possible

Final Thoughts

Microsoft 365 account takeovers go undetected because attackers use real accounts, real tools, and normal business workflows. They do not always need malware. They do not always need an exploit. They need one user, one stolen session, or one approved MFA prompt.

The difference between a minor security event and a serious breach comes down to visibility, process, and speed.

If your business uses Microsoft 365, you should know what normal activity looks like, what suspicious activity looks like, and who is responsible for responding when something does not look right.