Microsoft 365 account hijacking has become a growing concern, allowing attackers to exploit compromised accounts for insider phishing. Cybercriminals are increasingly impersonating trusted SaaS platforms to steal credentials. However, once inside an organization, they can operate undetected for hours or even days. Therefore, Darkrace plays a crucial role in detecting and responding to such attacks. Through Microsoft 365 account hijack detection, Darktrace enables monitoring of unusual login behavior and phishing campaigns.
+This blog explores Darktrace’s Microsoft 365 account hijack detection, the attack timeline, and how organizations can enhance security.
Growing Threat of Microsoft 365 Account Hijack
Attackers directly target internal trust connections thus seizing control of valid Microsoft 365 user accounts. Moreover, perpetrators execute this attack pattern according to a particular step-by-step method.
1. Initial Compromise via Phishing
Cybercriminals create deceptive email messages that pretend to be from the trusted SaaS software Microsoft Teams, QuickBooks, and OneDrive. So the emails direct users to simulation login interfaces that steal authentication credentials.
2. Unauthorized Login
However, during the period when attackers access compromised credentials, they start logging into profiles from locations outside the usual regions. The criminals explore mailbox content while examining all shared materials to gauge equity targets before conducting their assaults.
3. Modifying Inbox Rules to Evade Detection
To hide their activities, attackers set up automatic forwarding rules, delete security alerts, and filter out messages from IT teams. Hence, the unauthorized access is concealed through these actions to prevent detection for an extended period.
4. Internal Phishing Campaigns
Attacker control of the exploited account enables the sending of deceptive messages to both internal staff members and external business affiliates. These emails succeed because they come from familiar email addresses.
5. Privilege Escalation & Data Exfiltration
Hence, the attackers use their multi-account access to gain elevated system permissions and steal sensitive company data.

Darktrace’s Detection of a Microsoft 365 Account Hijack
Darktrace’s AI was actively monitoring a leading technology firm in the APAC region when one of its employees became the target of a Microsoft 365 account takeover. However, the attack unfolded over a weekend when security teams were less likely to respond immediately.
Timeline of the Attack
- Phase 1: Account Compromise
An employee unknowingly entered their credentials into a phishing page mimicking Microsoft OneDrive. But within hours, an attacker logged in from an unusual location and began suspicious activities.
- Phase 2: Suspicious Inbox Modifications
The attacker quickly modified inbox rules, hiding incoming alerts and forwarding emails externally. So this was an early sign of malicious activity within Darktrace.
- Phase 3: Launching a Phishing Campaign
Over 200 phishing emails were sent from the compromised Microsoft 365 account to internal and external contacts. The emails included a OneDrive link titled “Contract & Proposal – Customer,” leading to another credential page.
- Phase 4: Secondary Account Compromise
However, less than an hour later, Darktrace detected an unusual login to a second employee account from the same IP address. Thus, this suggested a second compromise was underway.