Office 365 Login Analyzer

An overview of a valuable cloud security app


One of the first indications of attack may be unexpected or repeated login attempts from unusual locations -- even outside the country. An effective defense can be as simple as monitoring for login attempts originating outside the country. Unfortunately, this seemingly simple task is more complicated in a cloud environment.

The Login Analyzer tracks login attempts across all organizations and alerts you when there is an attempt to log in from a foreign country. You can configure what countries you expect to be using your cloud instances independently for each organization, or even whitelist individual IPs in the configuration settings.

What to Look At

This is a list of people trying to log in to your Office 365 instance. Look at

1. Who is trying to log in?

2. Where are they trying to log in from?

When to Be Scared

If you are getting a large number of login attempts (especially successful login attempts), panic.

If you are getting login attempts from new accounts, accounts with unusual names or names that do not follow your naming conventions, or accounts you have never seen before (when you are familiar with an organization's users), panic and investigate immediately.

If you are getting login attempts from countries in which your organization does not have employees; especially Russia, China, or Iran: investigate immediately.

If you get login alerts with non-zero reputation detections (i.e. at least one red dot in the circles on the alert), investigate immediately.


If this seems like a lot to keep track of, look into our Managed SOC plan.

We will investigate and triage all logins, leaving you free to relax.


When to Not Be Scared

If your customer takes business trips to a foreign country and there are a small number of successful logins from that country, it is most likely that this is a legitimate employee accessing the network on a business trip.

If you see logins that occur and unusual times of the day/outside business hours, this could be malicious. However, keep in mind time zones. A login from someone in England that happens at 4 a.m. in the USA is reasonable.  England is 5-8 hours ahead of North American working hours (depending on Daylight Savings).

Have more questions?

Contact us

Was this article helpful?
0 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section