Skip to main content

Details - Login Events

Updated over 6 months ago

This guide will define what a suspicious login is for both O365 and G-Suite, and why it is being flagged on an account.

Login Details: Data is received in 4 hour increments. Logins will be posted to summary sections and evaluated for policies on a 4 hour interval.

OFFICE 365

Office 365 looks for six separate indications of a suspicious login. Each is either performed in a Real-Time Check or an Offline Check.

Real-Time Check: Takes about 5-10 Minutes to determine if the activity is suspicious.

Offline Check: An offline check can take between 2 and 4 hours to perform.

Leaked Credentials (Offline Check):

  • Often times when credentials have been leaked, they will be distributed across the darkweb and blackmarket sites. These credentials can be sold, or simply posted on message boards. Microsoft actively monitors these sites for credentials within your environment by working with researchers, the Microsoft security team, and law enforcement. If a users credentials are found in any of these places the account will be marked as suspicious.

Anonymous IP's (Real-Time Check):

  • It is typical for hackers to attempt to hide their IP addresses behind a proxy. When a login occurs from a known proxy IP address, a suspicious event is created. Microsoft keeps an active list of known proxy IP addresses.

Unrealistic Travel Times (Offline Check):

  • If an account has multiple logins within a short period of time from two or more different geologic locations a check will be made to verify that it is possible for the user to have traveled between the locations. Machine learning uses an algorithm to determine if the logins would be considered false positives, based off of IP addresses used by other users in the organization as well as if the locations would be considered typical for the user. This machine learning also takes VPN access into account, and typically has a 14 day learning period for each account.

New Locations (Real-Time Check):

  • When an account is logged in from a new location, there are a few checks that are made to verify the activity is considered normal.

    • Closeness to typical login locations

    • Known devices used to login

    • Known login locations

  • There is a 30 day learning period in which no flags will be triggered as known locations and behaviors are learned. Once this period is over, anything outside of these parameters would be considered to be a suspicious login.

Infected Devices (Offline Check):

  • Devices that have been infected with malware are also flagged as suspicious. A device is identified as infected when traffic between it and known bot servers is detected.

Suspicious Activity (Offline Check):

  • Accounts will be flagged as suspicious when multiple failed login attempts are seen within a short period of time. This flag will look for a single ip attempting to connect to multiple user accounts and failing as well. Machine learning will ignore false positives, such as IP addresses known to be used by others in the organization. There is an initial learning period of 14 days, in which no events will be flagged.

G-SUITE

Google provides different but equally informative information on login event types. Below you will find the various event types google will flag, and a description of that the login entails.

Note: Check out our page on Investigating these logins.

Account Warnings
​

Leaked Password:

  • The account has become disabled due to google becoming aware that the password has been leaked on the internet, and is available to potentially bad actors.

Suspicious Login Blocked:

  • Google detected a suspicious login, and has blocked it.

Suspicious Login From Less Secure App Blocked:

  • Google detected a suspicious login from an unsecured app, and has blocked it.

User Suspended:

  • A suspended account has tried to login, and was prevented from doing so.

User Suspended (Spam Through Relay):

  • Google has detected an account being used to send spam messages through an SMTP gateway. The account has been suspended.

User Suspended (Suspicious Activity):

  • The account has been disabled due to activity indicating it might have been compromised.

Attack Warnings

Government-Backed Attack:

  • Indicates that the account may be the target of a government based attack.

Logins
​

Failed Login:

The login attempt has failed, this can be due to a number of reasons.

  • User does not have access to login to the service.

  • Account is disabled.

  • Invalid password.

  • Unable to complete challenge.

Login Challenged:

  • The user was issued a login challenge (captcha).

Login Verification:

The user was issued a Two Factor Authentication login challenge.

Logout:

  • The user logged out of google.

Successful Login:

  • The user successfully logged into google.

Related Articles
Overview - Accounts Tab
Investigating - Suspicious Logins
Automatic Remediation - Logins
Details - Have I Been Pwned?
Details - Users
Did this answer your question?