M365 Onboarding Lookback
in progress
Rich Mozeleski
## Problem
When a new M365 tenant connects to Managed ITDR, Huntress starts with a blank slate. Today we only run two narrow historic checks at onboarding — inbox rules and rogue applications — then wait for forward-looking detections to fire. If a tenant is already compromised when it onboards, nobody knows until the attacker makes their next move.
This leaves a critical gap at the moment of first impression. Tenants frequently onboard while actively compromised, or carrying artifacts from prior incidents that were never fully remediated. Partners have no retrospective story to share with their clients showing what was happening before Huntress arrived.
## What We'''re Doing About It
At the moment a tenant completes onboarding, Huntress will automatically look back across up to 180 days of historical activity and run our full identity detection suite against it — credential theft, token theft, adversary-in-the-middle, suspicious browsers, datacenter logins, and more.
- Active compromises(still ongoing, no remediation taken) generate critical incident reports and trigger identity lockdown, just like a real-time detection would.
- Previously remediated compromisesare added to the ITDR Security Assessment as forensic context, so you can share the full picture with your client.
The Security Assessment becomes a comprehensive retrospective rather than a blank report followed by piecemeal findings.
Rich Mozeleski
Merged in a post:
Huntress detected a suspicious inbox rule in the Microsoft 365 mailbox
I
Invited Member
Could this report also include the date the rule was created? This way we could see if this correlates with a previous known incident.
Rich Mozeleski
For the historic inbox rule reports, we are not able to determine the date the rule was created from the query we run against the mailbox. Our upcoming Lookback feature will be able to determine when the inbox rule was created if the rule was created in the lookback window.
J
James Ramsey
I feel like any rule moving mail from the Inbox to "Conversation History" or "RSS Feed" should instantly trigger an account lock.
Rich Mozeleski
James Ramsey: We generally do report on these automatically, pending the SOC's review. The original post was referencing our historic inbox rule reporting.
Rich Mozeleski
updated the status to
in progress