This will help you determine if mailbox login was done from Exchange Powershell session. By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell.
MITRE ATT&CK Tactics
Approved operational change.
1. Whitelist any recurring approved operational activities using exchange powershell if applicable in your environment.
2. Restrict user access via Powershell to specific high elevated AD accounts within your organization.
3. Investigate via Azure Sentinel the other actions completed by the affected account within your network.