Business E-mail Compromises (BEC) are increasingly becoming a significant cause of data breaches and financial loss. Many companies are falling victim to mass phishing and credential harvesting attacks giving attackers access to internal email communications and sensitive private data. Compounding the issues are more and more organizations are moving their email into the cloud, using services such as Office 365. An organization’s ability to defend and respond to a breach within a cloud email environment requires planning and forethought. This talk will provide guidance, tools, and tips when performing cloud-based incident response within a typical Office 365 environment. A discussion of Office 365 incident response and forensics capabilities, security features, and how security teams can effectively utilize these resources will be presented.