Suspicious Login Brief

Summary

Suspicious authentication activity can indicate stolen credentials, phishing success or an active mailbox compromise. Early review helps reduce the risk of fraud, data exposure and attacker persistence.

Common signs

• Logins from unfamiliar countries or impossible travel patterns
• Repeated failed logins followed by one successful login
• New mailbox rules that forward or hide messages
• Unexpected MFA prompts or user reports of account warnings

Immediate actions

• Preserve audit logs and sign in logs
• Revoke sessions for the impacted account
• Reset credentials using a clean admin process
• Review mailbox rules, forwarding and OAuth grants
• Check related accounts and shared mailboxes

For technical review, email security@crossboardercyber.com.