en
- No translation available

Documentation › How-To

How to Investigate a Suspicious Office 365 Login

Written by: Luboš Lunter

Last Updated: 23.04.2026 2 min read how-to

Office 365 dashboard in Logmanager with suspicious login

Suspicious cloud logins rarely exist in isolation. This workflow is useful because it shows how to pivot from an Office 365 alert into broader on-premises and cross-system activity. That makes it easier to determine whether the event is harmless, user-related, or part of a larger compromise.

Prefer watching?

Check the related video walkthrough:

1. Start from the Office 365 Dashboard

Open the Office 365 overview dashboard and filter for alerts tagged as notified. Then open the specific log entry tied to the suspicious login. This gives you the username and source IP address needed for the next steps.

Office 365 overview dashboard in Logmanager showing the suspicious login alert details — Fig. 1: Office 365 overview dashboard in Logmanager showing the suspicious login alert details.

2. Pivot on the IP Address

Filter for all activity from the suspicious IP address and remove filters that limit the view only to alerted events. This makes it possible to see the broader context, including activity that did not itself trigger an alert.

If the same source IP is tied to more than one username, investigate every related account. In the example, one of the users deleted many files, which immediately raises the severity of the incident.

Investigation in Logmanager showing the suspicious IP associated with multiple Office 365 usernames — Fig. 2: Investigation in Logmanager showing the suspicious IP associated with multiple Office 365 usernames.

4. Move to the Wider Environment

Copy the suspicious username and switch to the general log overview dashboard. Review all related actions in other systems, including Windows. Look for account creation, password resets, account enabling, or adding users to groups, as these may indicate privilege escalation or persistence.

Suspicious login investigation in Logmanager showing file deletion activity or broader cross-system actions — Fig. 3: Suspicious login investigation in Logmanager showing file deletion activity or broader cross-system actions.

Windows or cross-system activity in Logmanager showing account creation password reset or group changes after suspicious login — Fig. 4: Windows or cross-system activity in Logmanager showing account creation password reset or group changes after suspicious login.

Table of contents

1. Start from the Office 365 Dashboard 2. Pivot on the IP Address 3. Inspect Related Users 4. Move to the Wider Environment

Related how-to tutorial

View All Articles

alert rule configuration in Logmanager UI

Contextual Alert to Identify Firewall Brute Force Attack Sources

Download the contextual alert template.

Wallix PAM parser for Logmanager img

Parser for Wallix PAM (Bastion)

Download the ready-made parser for Wallix PAM (Bastion).

Logmanager backup configuration on an SMB server

How to Configure Logmanager Backups on an SMB Server

In this guide, you prepare a Samba share on Ubuntu and then point Logmanager to that location for automated archiving.

Fortinet FortiGate configuration to send logs into Logmanager

How to Connect a FortiGate Firewall to Logmanager

Connecting FortiGate to Logmanager is useful because it centralizes traffic events, security logs, and operational activity from the firewall in one searchable platform.

Get the newest security  insights in your mailbox.