Detecting Suspicious Logins in Microsoft 365

Account compromises are one of the most common security threats facing organizations today. This guide will help you understand, detect, and respond to suspicious login attempts in your Microsoft 365 environment.

Understanding Sign-In Risk Indicators

What Makes a Login Suspicious?

Not all unusual logins are malicious, but certain patterns should trigger investigation:

Location-Based Anomalies

• Sign-ins from countries where your organization doesn't operate
• Access from high-risk regions known for cyber attacks
• Impossible travel (sign-ins from distant locations within minutes)

Device and Network Indicators

• Unknown or unmanaged devices
• Anonymous IP addresses (VPN, TOR, proxies)
• IP addresses with poor reputation
• Unusual user agents or browsers

Behavioral Patterns

• Sign-ins at unusual times for that user
• Multiple failed authentication attempts
• First-time access to new resources
• Sudden spike in activity

Risk Events

• Leaked credentials detected on dark web
• Malware-infected devices
• Unfamiliar sign-in properties
• Anonymous IP address usage

Common Attack Scenarios

1. Credential Stuffing

What It Is: Attackers use username/password pairs leaked from other breaches to attempt access to your Microsoft 365 environment.

Detection Signs:

• Multiple failed sign-ins from various IP addresses
• Successful sign-ins from unexpected locations shortly after password leaks
• Unusual access patterns immediately after successful authentication

Response:

• Force password reset for affected accounts
• Enable MFA if not already active
• Review sign-in logs for unauthorized access
• Check for suspicious email rules or forwarding

2. Phishing Attacks

What It Is: Users are tricked into providing credentials through fake login pages or malicious emails.

Detection Signs:

• Sign-in from unfamiliar location shortly after receiving suspicious email
• Sudden changes to inbox rules or email forwarding
• Access from IP addresses associated with phishing campaigns

Response:

• Immediately reset credentials
• Review and remove suspicious inbox rules
• Check sent items for spam or malicious emails
• Educate user on phishing identification

3. Session Hijacking

What It Is: Attackers steal active session tokens to access accounts without needing credentials.

Detection Signs:

• Multiple concurrent sessions from different locations
• Session transfers between geographical locations
• Unusual API access patterns
• Access to resources not typically used by the account

Response:

• Revoke all active sessions
• Force re-authentication
• Review OAuth app permissions
• Check for suspicious activity in accessed resources

4. Brute Force Attacks

What It Is: Systematic attempts to guess passwords through automated tools.

Detection Signs:

• High volume of failed sign-in attempts
• Failed attempts from single IP or IP range
• Dictionary-based password attempts
• Attempts targeting admin accounts

Response:

• Enable account lockout policies
• Implement IP blocking for repeated failures
• Force MFA for targeted accounts
• Review and strengthen password policies

Monitoring Sign-In Logs Effectively

Essential Log Data Points

When reviewing sign-in logs, focus on:

User Information

• Username and display name
• User type (member, guest, external)
• Assigned roles and permissions

Authentication Details

• Sign-in date and time
• Authentication method (password, MFA, passwordless)
• Success or failure status
• Failure reason (if applicable)

Location Data

• IP address
• City, state, country
• ISP information
• Coordinates

Device Information

• Device name
• Operating system
• Browser and version
• Device management status

Risk Assessment

• Risk level (low, medium, high)
• Risk state (confirmed safe, at risk, confirmed compromised)
• Risk event types

Creating an Effective Monitoring Strategy

Real-Time Monitoring

• Set up alerts for high-risk sign-ins
• Monitor admin account activity
• Track after-hours access
• Flag access from blocklisted countries

Daily Reviews

• Review all failed sign-in attempts
• Check for impossible travel scenarios
• Investigate anonymous IP access
• Review new device registrations

Weekly Analysis

• Trend analysis of sign-in locations
• User behavior pattern analysis
• Failed attempt pattern identification
• MFA adoption tracking

Monthly Audits

• Comprehensive access review
• Unusual access pattern identification
• Policy effectiveness assessment
• Security posture evaluation

Using Reinfort for Suspicious Login Detection

Automated Detection

Reinfort automatically identifies suspicious logins by analyzing:

• Behavioral patterns - Deviations from normal user behavior
• Location analysis - Impossible travel and unusual locations
• Device fingerprinting - New and unmanaged devices
• Threat intelligence - Known malicious IP addresses
• Risk scoring - Aggregate risk assessment

Real-Time Alerts

Get notified immediately when:

• High-risk sign-ins are detected
• Admin accounts access from new locations
• Multiple failed attempts occur
• Impossible travel is identified
• Anonymous IPs are used

Investigation Workflow

Reinfort provides a streamlined investigation process:

1. Alert Review - See all high-risk sign-ins in one dashboard
2. Context Gathering - Automatic collection of relevant data
3. Risk Assessment - AI-powered risk scoring
4. Action Items - Recommended response steps
5. Documentation - Maintain audit trail of investigations

Investigation Best Practices

Step 1: Gather Context

Before taking action, collect information:

• User's typical behavior - Normal sign-in locations, devices, times
• Recent activity - What resources did they access?
• User confirmation - Was this access legitimate?
• Related events - Any other suspicious activity from this user or IP?

Step 2: Assess Risk Level

Categorize the incident:

Low Risk

• User confirmed legitimate
• Known VPN usage
• Travel with proper notification
• No sensitive data accessed

Medium Risk

• Unclear if legitimate
• Some unusual characteristics
• Limited data access
• No admin privileges involved

High Risk

• User denies access
• Multiple risk indicators
• Sensitive data accessed
• Admin account compromised
• Evidence of lateral movement

Step 3: Take Appropriate Action

Based on risk level:

Low Risk Response

• Document the incident
• Continue monitoring
• User education if needed

Medium Risk Response

• Contact user for confirmation
• Review accessed resources
• Force password reset (precautionary)
• Enhanced monitoring for 48 hours

High Risk Response

• Immediately revoke active sessions
• Force password reset
• Disable account temporarily
• Review all accessed resources
• Check for data exfiltration
• Scan for malware
• Incident response team notification
• Consider forensic investigation

Step 4: Document and Learn

After resolution:

• Document timeline of events
• Record actions taken
• Identify prevention measures
• Update detection rules
• Share lessons learned
• Update security policies if needed

Prevention Strategies

Proactive Measures

Enforce MFA Everywhere

• Require for all users
• Use app-based authentication
• Implement Conditional Access

Implement Conditional Access Policies

• Require compliant devices
• Block high-risk locations
• Enforce MFA for sensitive apps
• Limit access based on network

Monitor Continuously

• Use automated monitoring tools
• Set up real-time alerts
• Regular log reviews
• Trend analysis

User Education

• Security awareness training
• Phishing simulations
• Password best practices
• Reporting procedures

Network Security

• Use VPNs for remote access
• Implement network segmentation
• Deploy endpoint protection
• Regular security updates

Responding to Confirmed Compromises

If an account is confirmed compromised:

Immediate Actions (0-1 hour)

1. Contain the breach

   • Revoke all active sessions
   • Disable the account
   • Block sign-ins

2. Assess the damage

   • Review accessed resources
   • Check for data exfiltration
   • Identify lateral movement
   • Review email rules and forwarding

3. Notify stakeholders

   • Security team
   • User's manager
   • Compliance team (if required)
   • Legal team (for sensitive data)

Recovery Actions (1-24 hours)

1. Secure the account

   • Force password reset
   • Reset MFA devices
   • Review app permissions
   • Remove suspicious OAuth apps

2. Clean up

   • Remove malicious inbox rules
   • Delete suspicious emails
   • Restore from backup if needed
   • Revoke suspicious delegations

3. Restore access

   • Re-enable account
   • Verify user identity
   • Monitor closely for 48 hours

Post-Incident (24+ hours)

1. Conduct post-mortem

   • Document timeline
   • Identify root cause
   • Determine attack vector
   • Assess response effectiveness

2. Implement improvements

   • Update security policies
   • Enhance detection rules
   • Improve user training
   • Strengthen controls

3. Compliance reporting

   • Notify affected parties
   • Regulatory reporting (if required)
   • Update incident log
   • Document lessons learned

Conclusion

Detecting suspicious logins requires a combination of:

• Automated monitoring - Tools like Reinfort for continuous detection
• Human judgment - Security team expertise to assess context
• Quick response - Immediate action when threats are identified
• Continuous improvement - Learning from each incident

Remember: Early detection is critical. The faster you identify suspicious activity, the less damage an attacker can cause.

Start Monitoring Today

Ready to protect your Microsoft 365 environment? Try Reinfort free for 14 days and start detecting suspicious logins in real-time.

Need help? Contact our security team for a personalized demo and security assessment.

Additional Resources

• Microsoft Sign-In Logs Documentation
• Azure AD Identity Protection
• NIST Incident Response Guide