Mailbox Threat Investigation
We traced several suspicious account and email symptoms, narrowed the likely causes, and delivered a practical plan to strengthen mailbox security.

Industries
Business
Services
Vulnerability Assessment,
Digital Forensics
About the project
A business needed help after several warning signs appeared at once: a user lost access to a business application, email messages seemed to disappear, and recurring phishing messages were reported as coming from inside the organization. Together, the events raised concern that a mailbox or the wider email environment might have been compromised.
The investigation had to separate unrelated symptoms, determine what the available evidence could support, and identify practical risk reductions. A third-party administration model restricted direct access to the hosted email environment, so the work also required a clear line between confirmed findings and items that still needed validation.
What we did
- We examined each reported symptom on its own instead of assuming a single attack caused every issue. Access to the business application had already been restored and was successfully verified, with no available evidence of unauthorized use. We also found no indication that malicious activity was responsible for the missing messages.
- Using PowerShell and the Exchange Online management module, we reviewed mailbox configuration and available server-side data. POP3 was enabled across the environment. Because this protocol can download messages into a local inbox and affect what users see on other devices, we identified it as a plausible contributor to the disappearing-email reports rather than a confirmed root cause.
- We examined mailbox activity, audit events, and forwarding settings for evidence of account takeover or internal phishing. The phishing messages we could identify came from outside the organization, and the available records did not reveal a malicious forwarding rule. We flagged selected account events and an unclear forwarding configuration for the managed provider to validate.
- We paired the hosted records available through the provider with local inspection of an affected endpoint. This allowed us to document the limits of the investigation while reaching a bounded conclusion: within the evidence we could examine, there was no indication that the email environment had been compromised.
- The configuration review confirmed that SPF and DKIM were present, while DMARC and multi-factor authentication were not enabled. We recommended enforcing DMARC, enabling multi-factor authentication, and disabling POP3 and IMAP where they were not required. We also advised reviewing active mailboxes so every account could be tied to a current user or valid business purpose.
Technologies Used
Powershell

Microsoft 365

