Recently, My CEO's webmail got accessed and someone had setup a mail forward in webmail to another email.
We have change the passwords for the account, and killed the forward, but I am trying to find out when this was done/who did it.
Is there a log of sign in's and IP addresses they were done from so I can try to trace anything strange? We use O365