The most common cloud security incidents are the result of compromised credentials for either human or non-human identities. Microsoft 365 is a popular target due to its numerous integrations with other platforms and services, making it a central point of access for sensitive data. Attackers often use phishing campaigns to gain initial access, and once they have control, they may manipulate settings, download data, or modify permissions to escalate their privileges. Understanding the various stages of an attack on Microsoft 365 services is crucial to detect malicious activity, such as increased login attempts, atypical IP addresses, changes to account passwords, and suspicious inbox rules. Datadog Cloud SIEM provides a Microsoft 365 content pack to simplify monitoring of suspicious behavior captured in logs, offering comprehensive visibility into user activity and interactions with important resources and data.