BreachRecon

You discovered a breach in your M365 tenant. Microsoft only keeps 30 days of logs. The attack started 45 days ago. You're flying blind trying to understand what happened.

Forensic reconstruction from remaining artifacts—mailbox rules, forwarding configs, OAuth apps, sign-in anomalies. Piece together the attack timeline from what's left.