Compromised Account Handling

Overview

This article covers handling of compromised account alerts from 365 or Proofpoint.

Step-by-step

1. Upon receiving a "Risky User" alert from Microsoft 365, log into https://entra.microsoft.com with your 365_account and navigate to ID Protection > Risky Users. 

(Tip: keep this page open and use the Refresh option so you don't have to keep logging in.

(Click any image for larger view)

2. Alerts are sorted by newest on top (by default). Click the link in the Name column for the user you wish to view. 

3. The Risky User Details page appears. Using the menu on the left, you can view user profile, Sign-in Logs, Risky Sign-In, and Risk Detections to view information about the login. You want to know what IP was being used that caused the alert.

(Note: You will need to use your 365_account login the first time you select any of these links.)

 

Entra User Profile:

Risky Sign-Ins:

Risk Detections: