Oh really ?
"However, these logs cannot tell us precisely what was in the mailbox at the time of the attack or whether the data was exported or just deleted,"
I understand that the logs can't, but the backup of the mailbox from the day before the hack surely should.
You have the backup, right ? Surely you specified in the contract that the mailbox needed regular backups, right ? A solid, international corporate structure advocating data security would not think of signing a vetting contract without proper backup procedures, wouldn't it ?
Why do I have the impression that I'm pissing in the wind, here ?