9 Microsoft 365 Warning Signs Attackers Hope You Never Check
NavaSolutions Team · July 1, 2026
Most account takeovers don't look dramatic. There's no alarm, no locked screen, no ransom note — just an ordinary-looking login sitting among thousands of others. Attackers count on that. They count on the fact that almost no one reads their Microsoft 365 sign-in and audit logs, where the evidence sits in plain view. Here are nine of the signals they hope you never check — and what each one really means.
1. Impossible-travel sign-ins
A single account signs in from Atlanta at 9:02 a.m. and from another continent at 9:19 a.m. Unless your employee has mastered teleportation, both logins can't be real — and the second one is almost always someone using a stolen password. Microsoft 365 stamps every sign-in with a location, so this is catchable the instant it happens. The catch: someone has to be looking.
2. Logins from malicious IPs and anonymizing networks
Attackers rarely sign in from their own home internet. They route through Tor, throwaway VPNs, or already-compromised servers — many of which show up on threat-intelligence blocklists. A login from a known-bad address or an anonymizing network is a strong sign that whoever holds the password isn't your employee.
3. New-country and new-device logins
Most of your team signs in from the same few devices and cities. A first-ever login from a new country, an unrecognized device, or a risky VPN isn't automatically a breach — but it's the exact pattern that comes right before one. These deserve a second look while they're still a question, not an incident.
4. Suspicious password resets
Account takeover frequently includes a self-service password reset — the attacker locking out the real user, or resetting a password to lock in control. A reset from an unfamiliar location, moments after a suspicious sign-in, or on an account that never resets its password, reads very differently from a forgetful Monday morning.
5. Conditional Access gaps
Conditional Access is the set of rules that decide who can sign in, from where, and with what protection. The gaps are what hurt you: an account quietly exempt from MFA, a policy that still permits legacy authentication (which sidesteps MFA entirely), or a group that slipped outside the rules. These holes stay invisible until someone audits the policies — and attackers walk right through them.
6. Risky mailbox access and delegations
Who can read your CEO's email? In a lot of tenants, the honest answer is "more people than anyone realizes." Mailbox delegations and permissions accumulate over years — an assistant who changed roles, a shared mailbox with broad access, a forwarding rule nobody remembers setting up. Attackers love this, because quietly reading email is often worth more than anything noisy.
7. Hidden inbox rules that bury the evidence
Once inside, one of the first things an attacker does is create a mailbox rule — quietly deleting or filing away security alerts, replies from your finance team, or any message containing words like "invoice," "wire," or "payment." It keeps you from noticing the fraud unfolding in your own inbox, and it often forwards a copy of everything to the attacker on the way out. These rules run silently, so they're easy to miss unless someone goes looking for them.
8. Mass downloads from OneDrive and SharePoint
A compromised account is a doorway to every file it can reach. Attackers bulk-download OneDrive and SharePoint content — contracts, financials, customer records, intellectual property — to steal outright or hold for extortion. A sudden spike in downloads or external sharing is one of the clearest signs the breach has moved from simply having access to actively stealing your data.
9. Phishing blasts to your own contacts
With a trusted account in hand, attackers email your coworkers, customers, and vendors — because a message from your real address gets opened. These blasts spread the compromise to the people who trust you most and quietly damage your reputation, often going out in bulk from your Sent folder while you have no idea it's happening.
The thread that ties them together
None of these are exotic. They're ordinary events hiding in ordinary logs — which is exactly why they work. Across the businesses we monitor, we flagged 2,251 high-risk sign-ins in a single 90-day window and confirmed 177 as real attacks. Every one of them started as a signal like the ones above.
How to check your own tenant
You don't have to guess which of these are hiding in your environment. Our free Microsoft 365 security review analyzes the last 30 days of your sign-in and audit activity — read-only, up to 25 users, no obligation — and shows you exactly which signals are present. And if you'd rather have someone watching continuously, that's what our managed cybersecurity service is built to do.