In this section
M365 Incident Response Course
Why this course exists
Microsoft 365 holds an 87.5% share of the enterprise productivity market. Exchange Online processes over 400 billion emails per month. Teams has over 320 million monthly active users. SharePoint Online serves over 200 million users. When an attacker compromises an identity in this ecosystem, they gain access to email, files, chat, and directory services in a single session. The blast radius of one stolen credential in M365 is larger than in any other enterprise platform.
The threat data reflects this. Microsoft's 2025 Digital Defense Report recorded over 600 million identity attacks daily against M365 environments, with a 32% surge in the first half of 2025 alone. Token theft accounted for 31% of M365 breaches, with AiTM phishing attacks increasing 146% year-over-year. Commodified phishing-as-a-service kits like Tycoon 2FA, Mamba 2FA, and Evilginx make session token theft accessible to any attacker willing to spend $120 to $350 per month. The FBI's 2025 IC3 report recorded $3.04 billion in BEC losses from 24,768 complaints, averaging over $122,000 per incident. In April 2026, Microsoft disclosed a single AiTM campaign that targeted 35,000 users across 13,000 organizations in 26 countries over a three-day window.
These aren't exotic attacks requiring nation-state resources. They're commodity operations executed against the platform most organizations depend on for daily business. Every organization running M365 is a target. Most don't have the IR capability to respond when the attack lands.
This course builds that capability. It teaches the complete incident response lifecycle for M365 environments: building the IR team and plan, preparing the environment for rapid response, detecting and analyzing threats, collecting forensic evidence from cloud audit logs, containing and eradicating cloud-native attackers, managing legal and regulatory obligations, hunting for threats that evade detection, improving continuously after each incident, and executing under pressure in multi-stage simulations.
What this course covers
Twelve modules organized in six phases. Each phase builds on the one before it.
Phase 1: Foundations and Preparation (Modules 1 through 3)
Module 1: Foundations of M365 Incident Response. The shared responsibility model: what Microsoft secures versus what you secure. The current M365 threat landscape with data from the Microsoft Digital Defense Report: AiTM phishing, BEC, token theft, OAuth consent abuse, device code phishing, and ransomware targeting hybrid components (40% of ransomware attacks now target hybrid infrastructure, up from less than 5% in 2023). NIST SP 800-61 Rev 3 and SANS IR frameworks adapted to cloud reality. Regulatory context: GDPR Article 33, SEC cybersecurity disclosure rules, HIPAA breach notification, and NIS2 early warning requirements. Each regulation imposes specific timelines and evidence requirements that shape IR decisions from the first hour.
Module 2: Building and Maturing an IR Capability. IR team structure: IRT lead, analysts, forensic specialists, legal liaison, communications lead, executive sponsors. The RACI matrix for M365 incidents. IR plan development with escalation matrices and SOC integration. Maturity assessment across people, process, and technology. The practical IR readiness test: can you export the Unified Audit Log right now? Are your Graph API permissions configured? Can you revoke sessions for 500 users in under an hour? Is your Sentinel workspace retaining sign-in logs beyond the 30-day native limit? Most organizations discover these gaps during an incident. Module 2 finds them before one.
Module 3: Preparation and Prevention. Zero Trust as an IR readiness framework: Conditional Access policies that give you containment levers, not just access controls. Logging strategy: Unified Audit Log retention (180 days standard, 1 year with E5, 10 years with the retention add-on), Sentinel diagnostic settings for Entra ID sign-in logs that expire after 30 days natively, MailItemsAccessed availability (E5 or Audit Premium add-on only). Playbooks and runbooks for the top M365 incident types. Sentinel SOAR automation for evidence collection and initial containment. Conditional Access design specifically for IR: break-glass accounts, emergency lockdown policies, named locations you can block in 60 seconds.
Phase 2: Detection, Investigation, and Containment (Modules 4 through 6)
Module 4: Detection and Analysis. Where M365 alerts originate: Defender XDR incidents, Sentinel analytics rules, Identity Protection risk detections, Purview DLP alerts. Alert triage methodology. KQL as an investigation tool: the queries you run in the first 30 minutes. The Verizon 2025 DBIR measured the median time-to-click on a phishing email at 21 seconds versus 28 minutes to report. By the time the SOC sees the ticket, the attacker has already replayed the stolen token. Initial scoping and evidence preservation before retention windows close. MITRE ATT&CK mapping for M365 techniques. Anomaly detection beyond built-in rules.
Module 5: Forensics and Evidence Collection. The deepest module in the course. Entra ID identity architecture: users, service principals, managed identities, token types (access, refresh, PRT), roles, hybrid setup, Conditional Access evaluation as an evidence source. Email forensics: forensic analysis of inbox rules, transport rules, and forwarding rules (three distinct persistence mechanisms in three different log sources). Mailbox audit log and MailItemsAccessed (bind vs. sync operations, throttling behavior, SessionId grouping). Message trace log. SharePoint, OneDrive, and Teams forensics. M365 attack tools and the evidence they leave: GraphRunner, AADInternals, ROADTools, TokenTactics. Anti-forensic techniques: what attackers do to cover their tracks and how to detect the cleanup itself. Access token abuse and Family of Client IDs (FOCI). Chain of custody and legal admissibility for cloud evidence. Cross-source timeline reconstruction.
Module 6: Containment, Eradication, and Recovery. Cloud containment across identity, email, files, and applications simultaneously. Emergency Conditional Access deployment via Graph API. Token revocation: Revoke-MgUserSignInSession, Continuous Access Evaluation enforcement windows, the reality of propagation delays (it's not instant). Password resets at scale with correct sequencing (service accounts first, then privileged, then affected). OAuth application remediation: revoking consent grants, removing attacker app registrations, service principal credential rotation. Mailbox remediation: inbox rules, forwarding, delegate access, transport rules. Eradication verification: every persistence type mapped to a verification step. Hybrid containment: KRBTGT reset sequencing, AD Connect pause decisions, pass-through authentication during containment.
Phase 3: Threat-Specific Response (Module 7)
Module 7: Threat-Specific Response Playbooks. Complete response playbooks covering the attack technique, the evidence it produces, and the step-by-step response from detection through recovery.
BEC and advanced phishing: AiTM proxy attacks, credential harvest, invoice manipulation, financial fraud tracing, evidence packaging for law enforcement. Identity and Entra ID attacks: token theft and replay, MFA fatigue/push bombing, device code phishing (OAuth device authorization flow abuse), Teams-based phishing. Malicious OAuth apps and consent phishing. Execution via Graph API calls and PowerShell, persistence via account manipulation and MFA method registration, exfiltration via eDiscovery Content Search and Power Automate abuse. Access token abuse and FOCI. Ransomware in M365: SharePoint/OneDrive encryption via sync client, Teams-based delivery, cloud-native data destruction (87% increase in destructive campaigns targeting Azure in 2025). Insider threats: departing employee investigation, eDiscovery abuse, legally defensible evidence packages. M365 attack tool identification. Multi-vector incidents where the attack crosses playbook boundaries.
Phase 4: Legal, Compliance, and Communication (Module 8)
Module 8: Legal, Compliance, Communications, and Stakeholder Management. Breach notification laws with specific timelines: GDPR Article 33 (72 hours to supervisory authority), NIS2 early warning (24 hours) and full notification (72 hours), SEC materiality determination and 8-K filing requirements, HIPAA breach notification. Working with legal counsel: attorney-client privilege, how it shapes evidence handling and report distribution, what happens when privilege is waived accidentally. Executive communication: translating cloud investigation findings into business language. Internal and external notification templates. Cyber insurance: carrier notification requirements, panel counsel, panel IR firms. Privacy implications of M365 evidence collection in GDPR jurisdictions.
Phase 5: Hunting and Improvement (Modules 9 and 10)
Module 9: Threat Hunting in M365. Proactive versus reactive hunting. Hypothesis-driven methodology. Practical hunting queries in Defender XDR Advanced Hunting and Sentinel. Living-off-the-land in M365: attackers using Power Automate for exfiltration, eDiscovery Content Search for reconnaissance, Teams for phishing delivery, SharePoint for staging. Hunting for persistence that survives remediation: the post-containment verification hunt for service principals, OAuth apps, and federation trusts the incident response missed.
Module 10: Post-Incident Activities and Continuous Improvement. Root cause analysis: not "the user clicked a phishing link" but "the Conditional Access policy had an exclusion created for a migration two years ago that was never removed." IR metrics: MTTD, MTTR, containment rate, evidence preservation rate. Lessons-learned facilitation that produces actionable improvements with owners and deadlines. Control enhancements driven by what the incident proved was missing. Feedback loops that close the gap between identifying the problem and fixing it.
Phase 6: Simulations and Advanced Topics (Modules 11 and 12)
Module 11: Simulations, Tabletop Exercises, and Capstone. Tabletop exercise design with facilitator notes for group use. Three text-based decision-tree scenarios: BEC with financial fraud, token theft with persistent access, insider exfiltration via cloud and AI tools. A multi-stage capstone: AiTM phishing chains into BEC, ransomware via Teams, and data exfiltration through SharePoint sharing links. You lead the response across all vectors, manage containment priorities, handle executive communication, and produce the investigation report. The capstone output is a personalized IR action plan for your organization.
Module 12: Advanced Topics, Hybrid/Multi-Cloud, and Future Trends. Hybrid Entra ID incident response: AD Connect sync poisoning, pass-through authentication abuse, federation trust attacks. Multi-cloud scenarios where M365 compromise extends into AWS or GCP via OIDC federation. AI-enhanced threats: Copilot prompt injection, deepfake voice in BEC calls, AI-generated phishing at scale. Emerging tools including Security Copilot for investigation acceleration. Career development in cloud IR.
Why we cover what we cover
The course follows the IR lifecycle because incidents do. You can't investigate effectively without preparation: the logging you didn't configure is the evidence you won't have. You can't contain without understanding the evidence: the service principal you didn't find is the access the attacker keeps. You can't close an incident without addressing legal obligations: GDPR's 72-hour clock started when you confirmed the breach, not when you finished the investigation. You can't prevent the next incident without structured improvement: the lessons-learned meeting that produces no action items is the meeting that guarantees a repeat.
Module 5 is the deepest module because evidence collection is the foundation of everything else. Containment decisions depend on evidence. Legal notifications depend on evidence. Executive communication depends on evidence. If you can't collect and interpret the evidence, nothing else works.
Module 7 exists as a standalone phase because real incidents don't announce their type at the start. The skills in Phases 1 and 2 apply to every incident. The playbooks in Phase 3 apply those skills to specific threat patterns. A student who completes both can handle an incident they've never seen before.
Section 0.2 covers how to get the most from this course.