Using the Office 365 Activities API to Investigate Business Email Compromises…. MSO 365 has an undocumented API for forensics, where you can curl a user’s activity report.

https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/