Attic Triage Tool
Forensic log files from Microsoft 365 — in minutes
Investigating a compromised Microsoft 365 account? The Attic Triage Tool lets you export all relevant forensic log files directly from your tenant — no installation required, no passwords shared. Built on the battle-tested Microsoft Extractor Suite by Invictus Incident Response, it gives you the evidence you need to understand exactly what happened.
How it works
Three steps is all it takes to get a complete forensic log package from your Microsoft 365 environment.
Connect your Microsoft 365
Connect to your tenant via a secure OAuth flow. No passwords required — authentication is handled entirely by Microsoft.
Select the account
Choose the user whose account you suspect has been compromised. The tool scopes all log collection to that identity.
Export forensic logs
The tool automatically collects all relevant log files for analysis — ready to hand off to your incident response team or use yourself.
What you get
The Triage Tool exports the logs that matter most in a Microsoft 365 security investigation — all in one automated export.
Unified Audit Logs
A complete record of all user and admin activity across Exchange Online, SharePoint, Teams and more — the single most valuable forensic source in Microsoft 365.
Sign-in Logs
Every login attempt — successful and failed — with IP addresses, locations, device info and authentication method. Pinpoints exactly when and how an attacker got in.
Mailbox Rules & Forwarding
Attacker-created inbox rules that hide replies, delete alerts or silently forward email to external addresses. A classic persistence technique exposed immediately.
OAuth App Consents
Third-party apps that have been granted access to the account — a common vector for persistent access after credentials are rotated. Revoke malicious consents immediately.
Admin Audit Logs
Administrative actions taken in the tenant during and after the compromise — including role assignments, policy changes and user modifications that attackers use to maintain control.
Timeline Reconstruction
All collected logs are structured to support a chronological reconstruction of the incident — from initial access to the last observed attacker activity.
Why use the Triage Tool?
When a Microsoft 365 account is compromised, every minute counts. Attackers delete evidence, set up persistence mechanisms and exfiltrate data fast. The Triage Tool helps you capture the forensic evidence before it disappears.
Completely free
No subscription, no trial, no credit card. The tool is free for anyone responding to a Microsoft 365 incident.
No installation required
Runs entirely in the browser. No PowerShell modules, no local setup, no admin privileges on the investigating device.
Data stays in your tenant
Log files are exported directly to you. Nothing is stored on Attic's servers. Your data never leaves your control.
Built on proven open-source tooling
Powered by the Microsoft Extractor Suite — the same tooling used by professional incident responders worldwide, now accessible via a simple web interface.
Built on trusted foundations
The Attic Triage Tool wraps best-in-class open-source forensics tooling in a simple, secure interface.
Built on Microsoft Extractor Suite
Open-source, community-audited forensic extraction framework
By Invictus Incident Response
Dutch-based IR firm with a global reputation in cloud forensics
Used by incident responders worldwide
Trusted by security professionals in hundreds of real-world investigations
100% free, no registration
No account, no sign-up, no strings attached
Are you an IT provider or MSP?
The Triage Tool is also perfectly suited for MSPs investigating incidents at their clients. Connect to the customer's tenant, export the logs and have the forensic evidence ready — without needing specialist tools on every device.
Want to go further? Combine the Triage Tool with Attic MDR for continuous threat detection across all your managed tenants — so you catch incidents before your clients even notice.
Start your forensic investigation today
The Attic Triage Tool is free, requires no installation and keeps your data in your own tenant. Get the forensic evidence you need in minutes — not days.
Need expert help? Attic's incident response team is available 24/7.