Compromised Account Procedure

Body

Compromised Account Handling

Overview

This article covers handling of compromised account alerts from 365 or Proofpoint.

Step-by-step

1. Upon receiving a "Risky User" alert from Microsoft 365, log into https://entra.microsoft.com with your 365_account and navigate to ID Protection > Risky Users. 

(Tip: keep this page open and use the Refresh option so you don't have to keep logging in.

Uploaded Image (Thumbnail)(Click any image for larger view)

2. Alerts are sorted by newest on top (by default). Click the link in the Name column for the user you wish to view. 

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

3. The Risky User Details page appears. Using the menu on the left, you can view user profile, Sign-in Logs, Risky Sign-In, and Risk Detections to view information about the login. You want to know what IP was being used that caused the alert.

(Note: You will need to use your 365_account login the first time you select any of these links.)

 

Uploaded Image (Thumbnail)

Entra User Profile:

Uploaded Image (Thumbnail)

Risky Sign-Ins:

Uploaded Image (Thumbnail)

Risk Detections:

Uploaded Image (Thumbnail)

 

 

Details

Details

Article ID: 3523
Created
Mon 3/23/26 4:43 PM
Modified
Mon 3/23/26 5:59 PM
Campus
Norman
Oklahoma City
Tulsa