As organizations increase their adoption of cloud services, we see attackers following them to the cloud. Microsoft Office 365 is becoming the most common email platform in enterprises across the world and it is also becoming an increasingly relevant artifact for intrusion investigations. This presentation will discuss two real world attacks that targeted Office 365–one motivated by money and the other by information. Through the case studies we will analyze the TTPs of both threat actors and how they differ, describe how to optimize Office 365 for investigations, provide an overview of the log sources that are available (and their limitations), and provide recommendations for enhancing the security of Office 365.