Unusual sign in activity

Author: s | 2025-04-24

Text presented in the Unusual Sign-in Activity email letter: Subject: Email Account Suspension account Unusual sign-in activity We detected something unusual about a recent sign-in to the I got an unusual sign in activity email from Microsoft from another country and the below is what I got. Session activity Additional verification requested Unusual activity detected Unusual activity detected Resolved unusual activity Successful sign-in. Does this mean that the hacker was able to sign in or did Microsoft prevent them?

Not Unusual unusual sign-in activity and consequent not

Different with your account recently, follow these steps to review your account security: Sign in to the Security basics page for your Microsoft account. Select Review activity to check for any unusual sign-in attempts on the Recent activity page. If you see account activity that you're sure wasn't yours, let us know and we can help secure your account—if it's in the Unusual activity section, you can expand the activity and select This wasn't me. If it's in the Recent activity section, you can expand the activity and select Secure your account. If you think someone else may have accessed your account, go back to the Security basics page and select Change password. Create a strong password that you can remember, and don't share it with anybody else. If you tried to sign in to your account but can't, someone may have changed your password. Follow these steps to get back into your account: Try to reset your password with the instructions listed in When you can't sign in to your Microsoft account. Starting with this step saves you extra effort if you accidentally signed in with a different account than the alert was for. If that doesn't work, try to sign in to your account again. Select Forgot my password on the sign-in page, and then select I think someone else is using my Microsoft account. Follow the instructions to recover your account. See also I think my account's been compromised My username and password have stopped working I can't sign in to my Microsoft account How to keep your Microsoft account safe and secure. Unblock my Outlook.com account Account security tools Need more help? Can't sign in? ​​​​​​​If you can't sign into your Microsoft account, most issues can be identified by our sign-in helper tool.Sign-in helper ​​​​​​​Contact Support For technical support, go to Contact Microsoft Support, enter your problem and select Get Help. If you still need help, select Contact Support to be routed to the best support option. Important: To protect your account and its contents, our support agents are not allowed to send password reset links, or access and change account details. Need more help? Want more options? Explore subscription benefits, browse training courses, learn how to secure your device, and more.

unusual sign-in activity and unsuccessful sign-in

AgentActivity rateBased on the policy results, security alerts are triggered. Defender for Cloud Apps looks at every user session on your cloud and alerts you when something happens that is different from the baseline of your organization or from the user's regular activity.In addition to native Defender for Cloud Apps alerts, you'll also get the following detection alerts based on information received from Microsoft Entra ID Protection:Leaked credentials: Triggered when a user's valid credentials have been leaked. For more information, see Microsoft Entra ID's Leaked credentials detection.Risky sign-in: Combines a number of Microsoft Entra ID Protection sign-in detections into a single detection. For more information, see Microsoft Entra ID's Sign-in risk detections.These policies will appear on the Defender for Cloud Apps policies page and can be enabled or disabled.Anomaly detection policiesYou can see the anomaly detection policies in the Microsoft Defender Portal, by going to Cloud Apps -> Policies -> Policy management. Then choose Anomaly detection policy for the policy type.The following anomaly detection policies are available:Impossible travelThis detection identifies two user activities (in a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials. This detection uses a machine-learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user's activity pattern. The impossible travel detection identifies unusual and impossible user activity between two locations. The activity should be unusual enough to be considered an indicator of compromise and worthy of an alert. To make this

Unusual sign-in activity - but no activity in the log

Howdy folks,I’m excited to announce the public preview of Azure AD My Sign-Ins—a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. As we discussed in a previous blog post, our team defends against hundreds of millions of password-based attacks every day.The My Sign-Ins page empowers users to see:If anyone is trying to guess their password.If an attacker successfully signed in to the account from a strange location.What apps the attacker tried to access.Robyn Hicock, who managed this feature, wrote a guest blog post where she dives into the details on this update. You’ll find her blog post below.As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.Best regards,Alex Simons (@Alex_A_Simons)Corporate VP of Program ManagementMicrosoft Identity Division___________________________________________________________________________________________Hi everyone!I’m super excited to share details about the new My Sign-Ins tile found on the users Overview blade:Just click the My Sign-Ins tile to display the location details of how an account was accessed.Here’s an example where I successfully signed in to Office 365 on Windows 10 from Washington:Most users should recognize their activity as being normal. However, if a user notices a Successful sign-in from strange location, browser, or operating system, an attacker may have gained access to the account. In this case, the user should change their password immediately and then go to the Security info page to update their security settings.There is a chance of a false positive since the approximate location and map is based on the IP Address (we call this “IP Address Geolocation”). Mobile networks are especially hard to geolocate since they sometimes route traffic through distant locations. For example, if a user signs in on their phone. Text presented in the Unusual Sign-in Activity email letter: Subject: Email Account Suspension account Unusual sign-in activity We detected something unusual about a recent sign-in to the

Reicived an Unusual sign-in activity, but no sign in activity shows

Applies ToMicrosoft account dashboard Microsoft prioritizes account security and works to prevent people from signing in without your permission. When we notice a sign-in attempt from a new location or device, we help protect the account by sending you an email message and an SMS alert. If your phone number or email changes, it's important to promptly update the security contact info on the Security basics page so we can work with you to keep your account secure and active. If someone has accessed your account ​​​​​​​If you think someone has accessed your account, check your Recent activity page and let us know if it wasn't you. Learn what to do if your username and password have stopped working. If you sign in to your account while traveling or if you install a new app that signs in with your account, you may get an alert. We just need you to provide a security code so we know it was you, and that your account is safe. To learn what you can do about unusual activity, select one of the following headings. It'll open to show more info. If there was an unusual sign-in attempt for your account, you'll get an email or text message. We'll send a message to all your alternate contact methods. To help protect your account, we'll need you to provide a security code from one of these contacts. This step prevents people who aren't you from signing in and lets us know if it was just you signing in from an unusual location or device. If you aren't sure about the source of an email, check the sender. You'll know it's legitimate if it's from the Microsoft account team at [email protected]. We may have blocked your sign-in if you're using a new device, if you installed a new app, or if you're traveling or in any new location. This security measure helps keep your account safe in case someone else gets your account information and tries to sign in as you. To unlock your account, follow the instructions on the sign-in screen and select where we can send you a security code. After you've received the code, enter it to access your account. Notes: If you're traveling and can't access the email or phone that you've associated with your account, there are some other options: If these options aren't available, you'll be able to get back in to your account after you sign in from a trusted device or from a usual location. If you brought a device you normally sign in to and you've set it as a trusted device, you can sign in from that device and get back into your account. If you left your phone at home and know someone who has access to it, you can ask them to tell you the security code sent to the device. If you received an email or text alerting you to an unusual sign-in attempt on your account but you haven't done anything

Unusual Sign-in activity not showing in recent activity

From Washington, the location might show the sign-in coming from California. This is why it helps to check more details about the sign-in, such as the operating system, browser, and app to confirm if it’s actually bad activity.An Unsuccessful sign-in, which shows no session activity, means that primary authentication (username/password) failed. This could mean that the user mistyped their password or an attacker was trying to guess the password. If it’s because an attacker was trying to guess the password (but was unsuccessful), then there’s no need for the user to change their password. However, this is a great reason for the user to register for Azure Multi-Factor Authentication (MFA), so even if the hacker eventually guesses the password, it won’t be enough to access the account. Based on our studies, accounts protected by MFA are 99.9 percent less likely to be compromised.An Unsuccessful sign-in, which shows Session activity of “Additional verification failed, invalid code,” means that primary authentication (username/password) succeeded, but MFA failed. If it was an attacker, they correctly guessed the password but were unable to pass the MFA challenge—such as round tripping a code to a phone number or by using the Microsoft Authenticator app. In this case, the user should still change their password (since the attacker got it right) and go to the Security info page to update their security settings.You can use the Search bar at the top to filter sign-ins by state, country, browser, operating system, app, or account. For example, below I filtered sign-ins in to the My Groups app:In the future, we’ll add This wasn’t me and This was me buttons. We’ll also highlight unusual activities detected with Identity Protection. This user feedback will help improve the accuracy of our risk detection systems. We do all of this already with the

Unusual sign in activity - Vivaldi Forum

Crucial in fortifying defenses against potential cyber threats. Conducting periodic security audits and penetration testing can help identify vulnerabilities and mitigate risks before they are exploited by malicious actors.Employee training and awareness programs play a vital role in maintaining network security hygiene. Educating staff about the importance of strong password practices, recognizing phishing attempts, and practicing safe browsing habits can significantly reduce the likelihood of security breaches. Implementing strong access controls and least privilege principles can limit the exposure of sensitive data and systems to unauthorized users.Furthermore, establishing incident response protocols and disaster recovery plans are essential components of network security best practices. Organizations should be prepared to swiftly respond to security incidents, contain breaches, and restore systems to normal operation. Regularly reviewing and updating security policies and procedures to align with evolving threats and compliance requirements is imperative for safeguarding network infrastructure and data assets.FAQsWhat Are The Common Signs Of Unusual Traffic On A Computer Network?Common signs of unusual traffic on a computer network include sudden spikes in network activity, unexpected bandwidth consumption, and slow network performance. Other indicators may include unfamiliar IP addresses accessing the network, abnormal data transfer patterns, and unauthorized devices connecting to the network. Monitoring for these signs can help identify potential security breaches or network issues before they escalate. Regular network traffic analysis and implementing intrusion detection systems can help detect and mitigate such unusual activities promptly.How Can Unusual Network Traffic Impact The Security Of A System?Unusual network traffic can indicate potential security threats such as malware infections, unauthorized access attempts, or denial of service attacks. This abnormal activity may signify that the system is being targeted by malicious actors, leading to data breaches, system vulnerabilities, and potential service disruptions. By monitoring and analyzing unusual network traffic, security teams can identify and respond to threats promptly to safeguard the system’s integrity and protect sensitive information from being compromised.What Are Some Potential Causes Of Unusual Network Activity?Unusual network activity may be caused by malware infections, such as botnets or ransomware, attempting to infiltrate the network. Another potential cause could be unauthorized users gaining access to the network, either through weak passwords or exploiting vulnerabilities in the system. Additionally, network misconfigurations or hardware malfunctions could also lead to unusual activity by disrupting normal traffic patterns. Regular network monitoring and security measures can help identify and mitigate these potential causes of unusual network activity.What Steps Can Be Taken To Detect Unusual Network Traffic?To detect unusual network traffic, organizations can implement network monitoring tools to analyze traffic patterns and identify any anomalies. They can set up alerts for suspicious activities such as unusually high data transfer volumes, unauthorized access attempts, or unusual communication patterns. Additionally, employing intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help detect and block malicious network traffic in real-time, enhancing network security. Regularly reviewing and analyzing network logs can also aid in identifying unusual behavior and potential security breaches.How Can Organizations Mitigate The Risks Associated With Unusual Network Behavior?Organizations can mitigate risks

Unusual Sign In Activity - Microsoft Community

Most detection methods, leaving anomaly-based methods as a last line of defense. Two threads of activity were observed within Darktrace’s customer base over the last year: The first operation involved the abuse of Check Point VPN credentials to log in remotely to organizations’ networks, followed by the distribution of ShadowPad to an internal domain controller. The second operation involved highly targeted data exfiltration from the network of one of the customers impacted by the previously mentioned ShadowPad activity. Despite definitive attribution remaining unresolved, both the ShadowPad and data exfiltration activities were detected by Darktrace’s Self-Learning AI, with Cyber AI Analyst playing a significant role in identifying and piecing together the various steps of the intrusion activities. Credit to Sam Lister (R&D Detection Analyst), Emma Foulger (Principal Cyber Analyst), Nathaniel Jones (VP), and the Darktrace Threat Research team. AppendicesDarktrace / NETWORK model alertsUser / New Admin Credentials on Client Anomalous Connection / Unusual Admin SMB Session Compliance / SMB Drive Write Device / Anomalous SMB Followed By Multiple Model Breaches Anomalous File / Internal / Unusual SMB Script Write User / New Admin Credentials on Client Anomalous Connection / Unusual Admin SMB Session Compliance / SMB Drive Write Device / Anomalous SMB Followed By Multiple Model Breaches Anomalous File / Internal / Unusual SMB Script Write Device / New or Uncommon WMI Activity Unusual Activity / Internal Data Transfer Anomalous Connection / Download and Upload Anomalous Server Activity / Rare External from Server Compromise / Beacon to Young Endpoint Compromise / Agent Beacon (Short Period) Anomalous Server Activity / Anomalous External Activity from Critical Network Device Anomalous Connection / POST to PHP on New External Host Compromise / Sustained SSL or HTTP Increase Compromise / Sustained TCP Beaconing Activity To Rare Endpoint Anomalous Connection / Multiple Failed Connections to Rare Endpoint Device / Multiple C2 Model Alerts Anomalous Connection / Data Sent to Rare Domain Anomalous Connection / Download and Upload Unusual Activity / Unusual External Data Transfer Anomalous Connection / Low and Slow Exfiltration Anomalous Connection / Uncommon 1 GiB Outbound MITRE ATT&CK mapping (Technique name – Tactic ID)ShadowPad malware threadsInitial Access - Valid Accounts: Domain Accounts (T1078.002)Initial Access - External Remote Services (T1133)Privilege Escalation - Exploitation for Privilege Escalation (T1068)Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)Lateral Movement - Remote Services: SMB/Windows. Text presented in the Unusual Sign-in Activity email letter: Subject: Email Account Suspension account Unusual sign-in activity We detected something unusual about a recent sign-in to the

Unusual sign-in activity - Microsoft Community

Lead and the Darktrace Threat Research TeamAppendicesDarktrace Model DetectionsCase 1· Anomalous Connection / Unusual Admin SMB Session· Anomalous File / EXE from Rare External Location· Anomalous File / Internal / Unusual SMB Script Write· Anomalous File / Multiple EXE from Rare External Locations· Anomalous File / Script from Rare External Location· Compliance / SMB Drive Write· Device / Multiple Lateral Movement Model Alerts· Device / Network Range Scan· Device / Network Scan· Device / New or Uncommon WMI Activity· Device / RDP Scan· Device / Suspicious Network Scan Activity· Device / Suspicious SMB Scanning Activity· User / New Admin Credentials on Client· User / New Admin Credentials on Server Case 2· Anomalous Connection / Unusual Admin SMB Session· Anomalous Connection / Unusual Admin RDP Session· Compliance / SMB Drive Write· Device / Multiple Lateral Movement Model Alerts· Device / SMB Lateral Movement· Device / Possible SMB/NTLM Brute Force· Device / Suspicious SMB Scanning Activity· Device / Network Scan· Device / RDP Scan· Device / Large Number of Model Alerts· Device / Anomalous ITaskScheduler Activity· Device / Suspicious Network Scan Activity· Device / New or Uncommon WMI ActivityList of IoCs Possible IoCs:· DeElevator64.dll· deelevator64.dll· DeElevate64.exe· deelevator64.dll· deelevate64.exe· to.batMid-high confidence IoCs:- 104.238.130[.]185- DESKTOP-1JIMIV3References:1.

Unusual Sign-In Activity - Microsoft Community

Box. Unsync log from the Threat Visualizer time You may have arrived at the device event log via investigating a device that previously breached a model, so the device event log and main Threat Visualizer will show the same (past) time. Unsyncing the log means that you can change the time shown in the Threat Visualizer while still seeing the same data presented in the event log. When you click again to resync the log, it reverts to the time shown in the Threat Visualizer, if you have changed it. Unsync log from the Threat Visualizer filters If you are viewing a device in the main Threat Visualizer and have applied filters to show only certain types of activity from the right-hand side list (e.g., show only connections to port 443), the event log will by default apply these filters to the logs shown. Click this to remove or reapply the same filters as shown in the main Threat Visualizer. Choose which type of events to show in the log / types of events that can be filtered out ο Connections: indicated by a blue (outgoing) or red (incoming) arrow. A flashing arrow means the connection is ongoing ο Unusual connections: based on Darktrace mathematical modeling ο New connections: these are signaled in the same way as unusual connections, with a comment ο Unusual activity: mathematically-based contextual information; not a model breach. The activity may be slightly unusual but not enough to generate a model breach depending on how ‘sensitive’ the model is. Indicated by an orange circle ο Model Breaches: indicated by a blue triangle ο Notices: extra interesting contextual information about certain connections. Indicated by an ‘i’ sign ο History: device history such as IP address or hostname changes, and different usernames 36 Choose whether to show internal or external events in the log. View packet capture file for this device. Show only internal network events, only external events or both. See Creating Packet Captures. exchange-alt Toggle incoming/outgoing events. ENTRY-SPECIFIC ACTIONS Show only incoming connections, outgoing connections or both. Click on the caret-down triangle icon for a log entry to see a menu showing these event-related options. Hide duplicate connections. Shows/Hides repeated connections. Show connections to common hostnames Common hostnames are determined based on what this network’s devices typically connect to. Color-code events by their properties. Color-code the event log lines by the specific filter. Doing so will add additional details after the event line. For example, coloring by port will add the port in square brackets (e.g. [443]), coloring by application protocol will add this information instead, e.g. [DHCP]. Default color coding is controlled in each user’s account settings. The SaaS Device Event Log has special filter options - see Device Event Log for SaaS and Cloud. Highlight connections that transferred more than a certain amount of data. Filter on the amount of data transferred. Hide/show connection descriptions Hides/shows the interesting contextual descriptions. View advanced search for this device Opens a new browser tab to Darktrace advanced. Text presented in the Unusual Sign-in Activity email letter: Subject: Email Account Suspension account Unusual sign-in activity We detected something unusual about a recent sign-in to the

Unusual sign in activity - Microsoft Community

Message list, select Recover items deleted from this folder. If you find the message, select it and then select Restore. Notes: Messages removed from the Deleted Items folder are recoverable for 30 days. You can't recover messages removed the Deleted Items folder in Outlook for iOS or Outlook for Android apps or a mobile browser. To do this, please use a computer. Messages deleted from a child's account can't be recovered. Check the Filter menu If you're filtering your message list, the message you're looking for might not appear. To change your filtering options, select Filter above the message list and select All. If you're using the Outlook for iOS or Outlook for Android apps or a mobile browser, the current filter selection appears above the message list. To clear the filter selection, select it above the message list. Check your rules You might have created an Inbox rule or a Sweep rule that's that's moving messages to another folder. Go to Rules settings and check your rules. If you find a rule that's incorrectly moving messages out of your inbox, select to edit the rule or to delete it. Note: You must use a computer to view and edit your rules. Check the Archive folder If you've archived a message, it won't appear in your inbox. Make sure the missing message isn't in your Archive folder. If you want to move an archived message back to your inbox, select the message and then select Move to > Inbox. If you're using the Outlook for iOS or Outlook for Android apps or a mobile browser, go to the Archive folder, select the message and select > Move to folder > Inbox. Check the recent sign-in activity for your account If you get an email about unusual activity on your Microsoft account, or if you're worried that someone else might have used your account, go to the Recent activity page. You'll see when your Microsoft account was signed in during the last 30 days, along with any device or app-specific info. For answers to common questions, including how to get back into a compromised account and secure or close it, see What is the Recent activity page? For more information, please go to Check the recent sign-in activity for your Microsoft account. Still need help? To get support in Outlook.com, click here or select Help on the menu bar and enter your query. If the self-help doesn't solve your problem, scroll down to Still need help? and select Yes. To contact us in Outlook.com, you'll need to sign in. If you can't sign in, click here. For other help with your Microsoft account and subscriptions, visit Account & Billing Help. To