Defenssive — Cybersecurity consulting, built for the AI era

Service / Microsoft 365 Security & IR

Microsoft 365 Security Assessment & Incident Response

When email compromise hits — or before it does — we investigate the breach, harden the tenant, and produce the forensic report your insurance carrier, partners, and regulators will accept. Built for SMBs and growth-stage teams running Microsoft 365 or Google Workspace.

Get a tenant security review

Business Email Compromise is one of the most common breaches SMBs face — and one of the most expensive. A single compromised mailbox can drain wire transfers, leak customer data, expose privileged credentials, and trigger insurance and regulatory disclosures.

The FBI's Internet Crime Complaint Center (IC3) reports BEC-related losses exceeding $2.9 billion annually in the US alone, with attackers increasingly targeting cloud-based email through credential theft, MFA bypass, conditional access manipulation, and malicious OAuth app consent.

The worst part: many cyber insurance policies contain exclusions or "reasonable security controls" requirements that can be triggered if proper controls aren't documented at the time of the incident. Affected businesses often face coverage disputes — making forensic investigation reports critical to claim recovery.

What's included

Eight deliverables, packaged or à la carte

Eight specific deliverables, executed as a packaged engagement or individual services.

  1. 01

    Compromised Account & Login Investigation

    Forensic analysis of sign-in patterns, IP geolocation, anomalous authentication, and impossible-travel events across your tenant. Using Microsoft 365 Unified Audit Logs and Defender for Identity telemetry, we identify compromised user and admin accounts — and trace the threat actor's actions step-by-step.

  2. 02

    Email & File Forensic Recovery

    Reconstruct stolen, deleted, or exfiltrated emails and files from Exchange Online, SharePoint, and OneDrive. We recover what's recoverable via eDiscovery and litigation hold workflows, and provide an auditable timeline of every action the attacker took.

  3. 03

    Identity Hardening: MFA & Passkey Enforcement

    Audit of every user account for MFA / FIDO2 passkey status. We close gaps, enforce strong authentication via Conditional Access policies, and configure Privileged Identity Management (PIM) for admin accounts.

  4. 04

    Microsoft 365 Tenant Hardening

    Full configuration review against Microsoft Secure Score and CIS Microsoft 365 Foundations Benchmark. We implement Defender for Office 365 (Safe Links, Safe Attachments, anti-phishing, anti-spoofing), DLP policies, sensitivity labels, and a Zero-Trust-aligned conditional access architecture.

  5. 05

    Operations & High-Risk Workflow Activity Log Audit

    For businesses with payment workflows, customer service operations, or wire-transfer processes, we review activity logs for fraud patterns: anomalous transaction approvals, after-hours admin activity, suspicious mailbox forwarding rules, external sharing anomalies, and indicators of social engineering.

  6. 06

    Endpoint Vulnerability Assessment

    Using Microsoft Defender Vulnerability Management, we identify outstanding vulnerabilities on user workstations, tablets, and mobile devices. We provide a prioritized remediation list. The client is responsible for executing patches; we provide the roadmap and validation.

  7. 07

    Third-Party Integration & SaaS Audit

    Audit of customer-facing websites, third-party SaaS integrations, OAuth applications connected to your tenant, and partner portals. We review page load order, third-party script chains, and any external integration that could be a compromise vector — including e-skimming, supply chain risk patterns, and malicious app consent.

  8. 08

    Forensic Investigation & Remediation Report

    A detailed report suitable for cyber insurance carriers (to contest exclusion claims or support coverage), business partners and counterparties, law enforcement (FBI IC3), regulatory disclosure where required, and internal executive leadership and legal counsel. Includes incident timeline, IOCs, attack chain reconstruction, remediation actions taken, residual risk assessment, and a 90-day hardening roadmap.

Who this is for

Built for high-BEC-exposure operators

  • SMB and growth-stage companies (25-500 employees) running Microsoft 365 or Google Workspace as their primary collaboration platform
  • Financial services, insurance, legal, healthcare, and professional services firms with wire-fraud or sensitive data exposure
  • Companies recovering from email compromise, account takeover, or wire fraud incidents
  • Companies preparing for cyber insurance renewals that require documented security controls
  • Any business whose cyber insurance carrier has flagged M365 / Workspace hardening as a coverage requirement

Why Defenssive

Forensic-grade work, senior-led

  • Microsoft cybersecurity certifications across the full stack — SC-100 Architect Expert, SC-200, SC-300, SC-401, AZ-500
  • Senior engineers only — your engagement is led by a 10+ year M365 security practitioner
  • Reports that hold up under insurance and legal scrutiny — written to forensic standards, suitable for carrier disputes and law enforcement filings
  • Flexible engagement model — fixed-scope packages, reactive IR within 24 hours of confirmed compromise

Engagement format

How we work

Standard engagement

5–10 business days, fixed-scope, fixed-price (quoted after intake call).

Reactive incident response

Available within 24 hours of confirmed compromise.

User count

Flexible — packages sized to your environment, no hard cap.

Suspect compromise? Or want to harden before one happens?

30 minutes. No pitch. Real recommendations from a senior Microsoft security consultant.

Get in touch