Suspicious Login Attempt Detection

AuthenticationAttacks Multi-Platform Account Compromise / Anomalous Access

What This Means

Identify suspicious login attempts through behavioral analysis. Detect compromised accounts, unauthorized access, and social engineering by recognizing anomalous authentication patterns.

Example Log

-- Azure AD / Windows login showing suspicious indicators:
Sign-in: jsmith@contoso.com
Status: Success
Location: Lagos, Nigeria (user based in New York)
Device: Unknown device, Linux browser
Risk Level: High
Time: 03:42 AM (users local time)
MFA: Not prompted (legacy auth protocol)

Indicators of Suspicious Activity

Successful login from a geographic location inconsistent with the users history
Login from a new or unrecognized device or browser
Authentication during hours unusual for the specific user
Login using legacy authentication protocols that bypass MFA
Successful login immediately following multiple failures (password found)
Login from a VPN or proxy service IP range (masking true location)

How to Investigate

Verify with the user whether they initiated the login
Check the exact IP, device, and browser information
Review what actions were taken after the suspicious login
Check if any data was accessed, exported, or modified
Determine if MFA was properly enforced (legacy auth bypass?)
Investigate if the users credentials appear in known breach databases

Recommended Mitigations

Enforce MFA for all users with no legacy authentication exceptions
Implement Conditional Access policies based on location, device, and risk
Deploy anomaly-based detection (UEBA) to flag unusual login behavior
Block legacy authentication protocols that bypass MFA
Implement real-time login risk assessment with adaptive authentication
Enable user notifications for new device logins

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 8 + 9?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What makes a login suspicious? ▼

Key indicators include: unusual location, new device, off-hours timing, legacy auth protocol use, login from VPN/proxy IPs, impossible travel, and login patterns inconsistent with the users established behavior.

How do I investigate a suspicious login? ▼

First confirm with the user. Then check the IP reputation, review post-login actions (data access, email rules, password changes), and verify MFA was enforced. If compromise is confirmed, reset credentials and revoke sessions.

What is adaptive authentication? ▼

Adaptive authentication adjusts security requirements based on risk signals. Low-risk logins proceed normally, while suspicious logins trigger additional verification like MFA step-up, device verification, or manager approval.