Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.

Diverse O365 Investigations Inform Proven Forensics Methodology

Kroll’s forensic specialists have spent years investigating O365 security incidents of all sizes, types and complexity. These include business phishing attacks, email compromises, insider threats, compromise of privileged accounts, SMTP relay attacks, etc.

Our experts’ unique experience not only informs Kroll’s robust forensic methodology, but also primes our approach with the agility to recognize and respond to new forms of cyberattacks.

Our investigations deliver actionable information by reconstructing a detailed timeline of a bad actor’s activity in your environment:

Identifying search terms the actor ran and the messages that may have been viewed as a result of those search terms
Isolating mail client vs. web browser–based access
Identifying and compiling emails auto–forwarded by unauthorized mail rules
Looking across an entire O365 tenant to identify other suspicious/unauthorized access, including OneDrive and SharePoint file access
If available, we will also run original phishing campaign discovery and analysis

Explore Cyber and Data Resilience

Microsoft 365 Security Assessment

Cybersecurity Compromise Assessments

Mobile Device Forensics

When it comes to Microsoft Office 365 security, relying on a cybersecurity generalist is like a sailor using a compass to navigate safely through unknown waters and treacherous shoals. If you run O365 now, or are thinking of making the move, know that Kroll specialists work extensively within the O365 environment every day.

We investigate and solve problems for clients around the world, discovering new hazards and navigating known risks. You can rely on our cumulative and ever–expanding O365 security knowledge to help guide you in proactive ways to better safeguard data, especially as O365 continues to evolve, both in security offerings and option controls.

O365 Security Incident Forensic Methodology

Kroll’s forensics methodology for O365 security incidents is structured and implemented in three broad phases. Each phase is customizable for your needs and goals. The team routinely works with counsel and cyber insurance providers, and can provide support remotely, onsite or in combination. Our findings ultimately also help with decision–making around notification efforts, including defensible communications to regulators.

Note: The following is a high–level overview of Kroll’s methodology. Contact Kroll for complete scope of activities.

Phase 1 – Explore and Map Cyber Event Details and Scope

Collect, preserve and analyze relevant available O365 data to determine timeline of events and unauthorized access
Analyze relevant data across all Office 365 accounts for indicators of compromise and scope of risk enterprise–wide
If relevant, identify and enumerate messages that were auto–forwarded outside of client’s tenant and may be at–risk of unauthorized access
Share indicators of compromise identified and collected by Kroll with client to further protect client’s infrastructure
Share findings in verbal presentation and report format as requested by counsel and client

Phase 2 – Sensitive Data Processing and Review

Employ various search techniques to attempt to identify files that are likely to contain sensitive data (as defined by counsel/client)
Use advanced analytics to assist in identifying files that do not require review for sensitive data and perform statistically valid sampling to verify the results
Review files found to contain sensitive data that need to be manually reviewed; perform manual review
Deliver findings of sensitive data processing/review to counsel/client

Phase 3 – Notification Assistance

Help client and their legal counsel draft compliant notification letters
Standardize, scrub and deduplicate mailing list; cross–reference against National Change of Address database
Provide comprehensive reports that demonstrate and document client put forth best effort to notify
Set up and implement call center, supported by data breach/identity theft experts, including access to licensed investigators

Proactively Fortify O365 Email Security With Kroll’s Unique Frontline Insight

Organizations that have deployed O365 are often unaware they can directly improve data security, including their ability to recover after an incident. Kroll offers practical guidance that focuses on the entire email kill chain, including O365 configuration, phishing prevention, workstation defenses and end–user awareness. Our goal is to provide you with a prioritized set of specific recommendations to help manage the email security program.

O365 Email Security Assessment

Goal: Identify material gaps or significant shortcomings in the organization's email security defenses.

Process: Kroll experts remotely review email security defenses with a focus on identifying proactive measures and controls.

Focus

Security settings to restrict unauthorized access
User activity logging and auditing configurations to aid investigative efforts
Email filtering options and configurations in place to prevent phishing attacks and malicious payload delivery
Email access protocols
Secure message communications
Azure Active Directory Security Configuration
Intune Mobile Device Management

O365 Email Secondary Defenses Assessment

Goal: Assess the secondary defensive measures in place to protect the organization against email–based attacks.

Process: Kroll experts conduct interviews with a cross–section of employees and functional areas.

Focus

Workstation controls
Employee Awareness
Incident Response
Business processes related to email authorization of payments
Phishing campaign to gauge employee awareness and effectiveness of controls

O365 is a Dynamic Environment. Is Your Security Keeping Up?

Office 365 is continually introducing new features and retiring older capabilities. You can count on Kroll’s O365 security specialists to be there on the leading edge, able to guide you through challenges and harden security throughout the environment.

In fact, Kroll has you covered end–to–end when it comes to incident response, including our powerful CyberDetectER. Speak with one of our O365 security specialists today to learn about all our capabilities.

Connect with Us

Katherine Keefe

Global Cyber Insurance Industry LeadCyber and Data ResiliencePhiladelphia

Katherine Keefe

Stay Ahead with Kroll

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Learn More

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Learn More

Microsoft 365 Security Assessment

Fortify your defenses and maximize your technology investment with a Microsoft 365 security assessment from Kroll.

Learn More

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Learn More

Malware Analysis and Reverse Engineering

Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.

Learn More

Malware and Advanced Persistent Threat Detection

Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.

Learn More

Business Email Compromise (BEC) Response and Investigation

With decades of experience investigating BEC scams across a variety of platforms and proprietary forensic tools, Kroll is your ultimate BEC response partner.

Learn More

News

December 2, 2025

Press Release

Kroll Elevates Global MDR Services, Migrating Protection to CrowdStrike Falcon Complete Next-Gen MDR

Kroll Elevates Global Managed Detection and Response Services, Migrating Protection to CrowdStrike Falcon Complete Next-Gen MDR

October 18, 2024

Press Release

Kroll Announces Appointment of Katherine Keefe to Lead Global Cyber Insurance Capabilities

Kroll Appoints Katherine Keefe to Lead Global Cyber Insurance Industry Capabilities

Dave Burg, Katherine Keefe

September 19, 2024

Press Release

Kroll Becomes Relativity Gold Provider Partner

Glen McFarlane

September 12, 2024

Kroll in News

Kroll Recognized 2024 Gartner Market Guide DFIR Services

Kroll Recognized in 2024 Gartner Market Guide for Digital Forensics and Incident Response Retainer Services for the Fifth Consecutive Year

Adam Malone

Let's solve for the future

Yes, I would like to receive periodic event invitations, reports and news from Kroll.

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.