Powershell or non-browser mailbox login activity in Office 365
This will help you determine if mailbox login was done from Exchange Powershell session. By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell. Source: Github - Microsoft
MITRE ATT&CK Tactics
Approved operational change
Whitelist any benign scheduled activities using exchange powershell if applicable in your environment.
Block any identified as malicious scripts.