More and more organizations and businesses are relying on cloud platforms for productivity. While cloud utilization is widespread, cyber attackers targeting these platforms are also becoming prominent. They are doing these attacks through credential theft. In Microsoft 365, a compromised user account because of credential theft can lead to unauthorized mailbox access, exfiltration of sensitive SharePoint and OneDrive data, business email compromise (BEC), and even privilege escalation within the organization.
Fortunately, Microsoft 365 provides several built-in tools that managed service providers (MSPs) or system administrators can utilize to combat credential theft. These tools, including sign-in logs, audit trails, and conditional access policies, can help detect signs of compromise and respond to threats in real time. In this guide, we will walk you through the strategies for detecting and responding to credential theft in Microsoft 365 environments.
Task | Purpose |
| Step 1: Enable audit logging and sign-in alerts | Ensures critical user and admin activity is recorded and alertable |
| Step 2: Detect suspicious activity in sign-in logs | Identifies potentially compromised accounts using risky login patterns |
| Step 3: Investigate suspicious mailbox activity | Traces account abuse like forwarding rules or unusual access |
| Step 4: Isolate and reset affected accounts | Contains the breach by revoking sessions and resetting credentials |
| Step 5: Harden access policies | Prevents future credential theft through stronger access controls |
| Step 6: Monitor for recurrence and automate response | Detects recurring threats and automates remediation via tools/scripts |
Prerequisites for credential theft management in Microsoft 365 environments
Before proceeding with responding to credential theft management, make sure your environment meets the following requirements:
- Microsoft 365 tenant with Azure AD Premium P1 or higher
- Microsoft Defender for Cloud Apps or Microsoft Entra ID Protection (recommended)
- Audit Logging and Unified Audit Log (UAL) enabled
- Admin account with Global Administrator or Security Administrator roles
- PowerShell access with Microsoft Graph or Exchange Online modules
- (Optional) SIEM integration for centralized alert management
Step 1: Enable audit logging and sign-in alerts
📌 Use Case:
This step is used to guarantee that activity logs of critical users and admins are recorded and alertable.
Enable audit logging:
- Go to Microsoft 365 Compliance Center.
- Navigate to Audit > Audit Search
- If audit logging isn’t enabled, click Start recording user and admin activity.
Check Azure AD sign-in logs
- Go to Azure AD > Monitoring > Sign-ins.
- Use filters to identify:
- Risky sign-ins
- Unfamiliar locations
- Legacy authentication usage
These filters help surface events like logins from strange IP addresses or applications using outdated protocols.
Step 2: Detect suspicious activity in sign-in logs
📌 Use Case:
This step analyzes sign-in logs to detect anomalous actions that may indicate potential credential theft.
Look for the following red flags:
- Impossible travel: A good example is when you detect login activity from New York and Singapore within minutes.
- Multiple failed sign-in attempts: While this may seem like an innocent case of someone forgetting their password, it could also indicate a brute-force attack.
- Use of legacy protocols: Older protocols like IMAP or POP don’t support modern authentication or MFA, making them a common entry point for attackers.
- Browser-based logins: Logins from suspicious IPs may indicate an unauthorized login attempt using stolen credentials.
To begin examining sign-in logs, use PowerShell to query sign-ins. Run the following commands:
- For Microsoft Graph:
Connect-MgGraph -Scopes “AuditLog.Read.All”
Get-MgAuditLogSignIn -Top 50 | Where-Object
{$_.RiskLevelAggregated -ne “none”}
- For AzureAD module:
Connect-AzureAD
Get-AzureADAuditSignInLogs | Where-Object
{$_.Status.ErrorCode -ne 0}
These queries allow for more granular filtering and scripting across multiple tenants, which is useful for MSPs.
Step 3: Investigate suspicious mailbox activity
📌 Use Case:
This step can be used to track account abuse, like forwarding rules or unusual access. Threat actors often create forwarding rules to exfiltrate data silently.
- Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
- Run the following command:
- To search audit logs with PowerShell:
Connect-ExchangeOnline
Search-MailboxAuditLog -Mailboxes [email protected] –
ShowDetails -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)
- To check for malicious inbox rules:
Get-InboxRule -Mailbox [email protected] | Where-Object
{$_.RedirectTo -ne $null -or $_.ForwardTo -ne $null}
Step 4: Isolate and reset affected accounts
📌 Use Case:
This step urgently addresses confirmed credential theft by revoking sessions and resetting credentials.
- Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
- Run the following commands:
- To revoke sessions:
Revoke-AzureADUserAllRefreshToken -ObjectId <UserObjectId>
- To force a password reset:
Set-AzureADUserPassword -ObjectId <UserObjectId> –
Password “NewTempPassword123!”
-ForceChangePasswordNextLogin $true
- To block sign-in temporarily:
Set-MsolUser -UserPrincipalName
[email protected] -BlockCredential $true
Step 5: Harden access policies
📌 Use Case:
This step should be done to prevent the recurrence of the attack by tightening access controls using tools like Group Policy Objects (GPO), Azure Conditional Access, and registry edits.
GPO recommendations:
- Enforce strong password policies via:
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy - Enable Smart Card or multi-factor authentication (MFA) support.
- Enforce password history, and the password must meet complexity requirements.
Azure AD Conditional Access policies:
- Require MFA for all users.
- Block legacy authentication.
- Enforce location-based access restrictions.
Step 6: Monitor for recurrence and automate response
📌 Use Case:
This is another step to prevent the recurrence of the credential step by setting up alerting and automation using tools like Group Policy Objects (GPO), Azure Conditional Access, and registry edits.
Tools to use:
- Microsoft Defender for Identity or Cloud App Security alerts
- Enable email forwarding alerts in Exchange Admin Center.
PowerShell event monitoring:
- Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
- Run the following command:
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4625 -or $_.Id -eq 4624}
This command helps detect failed and successful sign-ins on local machines or servers.
SIEM or RMM integration:
If managing multiple tenants, consider integrating with a SIEM tool or using an RMM platform like NinjaOne to streamline detection and alerting.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| MFA is being bypassed | Users may authenticate without MFA, leaving accounts vulnerable to credential theft. | Check if legacy authentication is still enabled and block it through Conditional Access policies. |
| Repeated credential theft | Indicates that compromised passwords are being reused, putting multiple accounts at risk. | Enforce stronger password policies and enable self-service password reset (SSPR) to improve recovery and hygiene. |
| User lockouts | Users may be incorrectly blocked, causing disruption and potential security gaps. | Review Conditional Access policy configurations and ensure break-glass accounts are defined for emergencies. |
| Audit logs not showing activity | Lack of visibility into user actions hinders incident investigation and response. | Manually enable Unified Audit Log and mailbox auditing through the Compliance Center and PowerShell if needed. |
Additional considerations for credential theft response
To further reduce the risk of credential theft and speed up recovery, you can deploy the following:
- Self-Service Password Reset (SSPR): Allowing users to reset their passwords without admin intervention can help expedite response to credential theft, even before contacting IT admins.
- Just-in-Time (JIT): Granting time-limited access for highly privileged accounts can reduce the attack surface.
- Privileged Access Workstations (PAWs): Deploying PAWS restricts administrative tasks to hardened, isolated devices to reduce exposure to credential theft and malware.
- Regular mailbox access audit: A consistent audit of mailbox access, especially for shared mailboxes, can minimize instances of credential theft and ensure that only authorized people can access organizational emails.
NinjaOne services for responding to credential theft
NinjaOne and its tools can help enhance the proactive detection and response to credential theft.
NinjaOne service | What it is | How it helps credential theft detection and response |
| Endpoint log monitoring | Monitors Windows event logs such as Event IDs 4624 (successful sign-in) and 4625 (failed sign-in) | Detects brute-force attacks and suspicious sign-in activity across managed devices in near real time |
| PowerShell automation | Runs custom PowerShell scripts to query Azure AD sign-ins, revoke sessions, or flag accounts | Enables quick investigation and automated mitigation steps like revoking tokens or forcing password resets |
| High-risk login alerting | Sends alerts for logins from suspicious IPs, unusual locations, or risky user behavior | Notifies IT teams about potential credential misuse, enabling faster containment |
| Endpoint isolation | Tags or quarantines affected devices to restrict network access during a credential theft incident | Helps contain the threat by cutting off the compromised endpoint from communicating with other systems |
| Credential remediation workflows | Automates tasks like forcing password resets, blocking accounts, or removing inbox rules | Streamlines incident response by reducing time to action and limiting attacker dwell time |
Quick-Start Guide
NinjaOne offers several security-related features that can help protect and monitor Microsoft 365 environments:
1. Backup and Security Monitoring– NinjaOne SaaS Backup uses 256-bit AES encryption for data protection– Supports Multi-Factor Authentication (MFA)– Provides authentication monitoring and error tracking
2. Authentication Security Features– Supports Service Principal Authentication (SPA) to minimize potential security breaches– Restricts data access rights to minimum necessary levels– Offers detailed authentication logging and error reporting
3. Credential Management– Can detect and alert on authentication errors– Provides options for reauthentication when credential issues arise– Monitors for conditional access policy conflicts that might indicate unauthorized access attempts
4. Additional Security Observations– Checks for Azure AD conditional access policies– Supports Azure AD Single Sign-On (SSO)– Provides audit logs for user activities
While these features contribute to security, they are not a comprehensive credential theft detection solution. For robust credential theft protection, I recommend combining NinjaOne with dedicated security tools like Microsoft Defender or specialized threat detection services.
Addressing credential theft with urgency
Credential theft can cause a disruptive impact on an organization if not addressed with effective strategies. The steps outlined above should help you detect and respond to this urgent matter using different methods, such as reviewing sign-in logs, investigating mailbox and audit activity, revoking access, and applying tighter controls with Conditional Access and policy enforcement.
Credential theft can also be addressed by combining Microsoft 365’s built-in defense and automated solutions like NinjaOne. This optimizes MSPs and system administrators’ operations in not only responding, but also detecting credential theft before it wreaks havoc.
