Microsoft Exchange Online security audit
By the QuantumSec team
Corporate email is both the company's most-used communication channel and one of the attackers' favorite targets: CEO fraud, targeted phishing and much of the lateral movement after an account compromise all pass through it. An Exchange Online audit goes beyond checking whether MFA is enabled: it analyzes delegated permissions, transport rules, connectors and audit logs to confirm what an attacker could actually do with access to a mailbox.
What a Microsoft Exchange Online security audit covers
- Delegated mailbox permissions: who has Full Access, Send As or Send on Behalf on which mailboxes, and whether those permissions are still needed.
- Transport rules and connectors: rules that automatically forward, copy or modify mail, and misconfigured connectors that allow unauthenticated sending.
- Domain authentication: SPF, DKIM and DMARC configuration to prevent spoofing of the corporate domain.
- Mailbox Audit Logging: what gets logged, for how long, and whether it would allow reconstructing an incident.
- Conditional Access and MFA applied specifically to Exchange access, including legacy protocols (POP, IMAP, SMTP AUTH) that are often left outside conditional access controls.
- Accepted domains and misconfigured trusted senders.
Malicious forwarding rules: the most common persistence vector
One of the most common persistence techniques after compromising a mail account is creating a silent forwarding rule to an external address. The attacker retains visibility into correspondence even after the victim changes their password. We cover this vector in detail, with concrete examples, in our dedicated resource on forwarding rules and BEC fraud.
Delegated access and mailbox permissions: the risk almost nobody reviews
Full Access and Send As permissions accumulate over time: an assistant who already changed roles, an external consultant whose project ended months ago, a shared mailbox with too many people holding full access. Each of these permissions is a route to sensitive correspondence that is rarely reviewed once granted.
Connectors and accepted domains: the risk of becoming an open relay
A misconfigured connector — originally intended to allow sending from an internal device or application without authentication — can end up allowing anyone on the network, or in some cases from outside, to send mail spoofing the corporate domain. It's one of the findings that most often surprises IT teams once reviewed in depth.
How this differs from a general Microsoft 365 audit
A Microsoft 365 audit covers Exchange as one of several components, alongside Entra ID, SharePoint, Teams and OneDrive. An Exchange-focused audit goes deeper specifically into mail: mailbox permissions, transport rules, connectors and domain authentication, at a level of detail a general tenant review doesn't always reach. It makes sense as a standalone piece when email is the most critical system or when suspicious mail-related activity has already been detected.
FAQ
Do you need Global Administrator access to audit Exchange?
No. A read-only Exchange administrator role or a delegated role with audit permissions is enough. The scope for any specific active tests is agreed in advance.
Does this audit replace the general Microsoft 365 audit?
No, it complements it. If you've never audited the tenant, we recommend starting with the general Microsoft 365 audit. This Exchange-focused audit makes sense as a standalone piece when email is especially critical or after a mail-related incident.
Can it detect if a malicious forwarding rule is already active?
Yes. Reviewing transport and mailbox rules is part of the standard scope, precisely because it's one of the most common persistence techniques after an account compromise.