Mailbox audit logs are records of actions taken in an email mailbox and related access events. They can show when a user opened a message, changed mailbox settings, created forwarding or inbox rules, accessed mail from a new device or location, or performed other administrative actions. In practice, they help investigators reconstruct what happened after a suspicious email reached a mailbox.
These logs matter because phishing often turns into an account-abuse problem after the first click. Message traces may show delivery, but mailbox audit logs reveal post-delivery behavior that can confirm compromise, such as hidden forwarding, deletion of evidence, or unusual access patterns. Security teams use them to scope exposure, preserve evidence, and decide whether the incident stayed at the inbox or spread into the account. They are a core part of mail incident response alongside sign-in telemetry and message analysis.