Home
Blog
Identity-investigations
March 26, 2025
6
min read

Investigating Risky Sign-ins: Getting to the right answers fast

Entra risky sign-ins—suspicious login activities that can often indicate account compromise. We examine the sophisticated detection mechanisms that identify authentication anomalies, from impossible travel scenarios to password spray attacks, and reveal the critical investigation challenges security analysts face. The post showcases how Command Zero's integrated platform transforms these investigations through cross-product visibility, facet-based investigation frameworks, and identity correlation capabilities. By combining an encoded knowledge base with expert language models and strategic automation, security teams can dramatically accelerate threat response times, standardize investigation quality, and gain comprehensive visibility across fragmented technology stacks—ultimately transforming how organizations detect and respond to potential identity compromises.

identity investigations
Microsoft EntraID
password spray attacks
Natalie Dean
Senior Security Researcher
In this article
H2 Title
H3 Title

Introduction

Account compromises are a major concern for security teams. Detecting and responding to them quickly can mean the difference between a minor incident and a major breach. In this post, I'll explain risky sign-ins, their importance in security operations, and how Command Zero helps streamline these critical investigations.

What are risky sign-ins?

Microsoft Entra ID Protection identifies "risky sign-ins" by analyzing unusual patterns in user sign-in attempts. These are login attempts that deviate from established user behavior or exhibit characteristics associated with security threats. Risky sign-ins are categorized as low, medium, or high risk, triggering alerts or actions based on those risk levels.

While Microsoft uses "risky sign-ins," other identity providers employ different terminology for similar concepts:

  • Okta: "Behavior detection"
  • Google: "Suspicious logins"
  • AWS: "Suspicious activity" and "anomalous/unusual behavior"

Despite varying terminology, these identity providers all analyze login location, IP address, device information, access timing, authentication methods, and user behavior patterns to identify potential threats.

Detection triggers

Microsoft Entra ID Protection analyzes several factors during each sign-in attempt:

  • Geographic Location: Sign-ins from atypical or unfamiliar locations
  • IP Address Analysis: Logins from anonymous, malicious, or unusual IP addresses
  • Device and Browser Patterns: First-time device or browser usage
  • Temporal Anomalies: Sign-ins during unusual hours for the user
  • Impossible Travel: Authentication from two distant locations within an implausible timeframe
  • Password Spray Detection: Multiple sign-in attempts, often performed in an automated fashion using common passwords
  • Leaked Credentials: Sign-in attempts using known compromised credentials
  • Malicious IP Addresses: Authentication from IPs associated with known malicious activity

Microsoft categorizes these risks into three levels—low, medium, and high—allowing organizations to configure appropriate Conditional Access policies that can require additional authentication factors or block access entirely.

Management tools

Security teams can monitor and respond to risky sign-ins through several mechanisms:

  • Microsoft Entra ID Protection: The core service that identifies potential authentication risks
  • Risky Sign-ins Report: Administrative dashboard for monitoring and investigating suspicious logins
  • Remediation Actions: Options to confirm sign-ins as compromised or safe, or dismiss the risk
  • Conditional Access Integration: Automated policies that can trigger user self-remediation steps
  • Risk Feedback Loop: Administrator input to improve Microsoft's risk detection algorithms

Putting risky sign-in alerts to work

Account compromise represents one of the most significant threats facing organizations today. As part of Microsoft's identity protection service, Entra's risky sign-in detections highlight abnormal login behavior that often indicates compromised credentials. These detections serve as critical early warning signals for security analysts. When properly monitored and investigated, they can reveal unauthorized access attempts before attackers gain a foothold in your environment.

Why risky sign-ins are an important signal for Security Operations

For SOC analysts, risky sign-in detections are crucial in identifying and responding to threats quickly. Let's look at some specific examples:

  1. Atypical Travel: One of the most common alerts involves authentication from geographically impossible locations within a short timeframe. For example, a login from Texas followed by another from Canada five minutes later is physically impossible, raising immediate red flags.
  1. Password Spray Attacks: Microsoft surfaces detections when successful logins are associated with password spray attempts – a technique where attackers try common passwords across numerous accounts. These detections often reveal the initial stages of a broader attack.
  1. Malicious IP Addresses: Sign-ins from IP addresses known to be associated with threat actors or compromised infrastructure are immediately flagged, providing a crucial early indicator of potential compromise.

Investigative challenges around risky sign-ins

The real complexity emerges during investigation. When a risky sign-in alert fires, security analysts face several critical challenges:

  1. Scope assessment

Understanding the full extent of a compromise is particularly difficult. If an account is truly compromised, determining which assets have been accessed and what actions were taken requires visibility across multiple systems.

  1. Technology fragmentation (aka security silos)

Most organizations maintain different security tools, dashboards, and directories across various technology stacks. This fragmentation forces analysts to piece together information from disparate sources – a time-consuming process that delays response.

  1. Context collection

Gathering the necessary context around a suspicious login often requires manual lookups across multiple systems, from identity providers to endpoint protection platforms and cloud environments.

How Command Zero helps get to the right answers fast

Command Zero fundamentally transforms how security teams investigate risky sign-ins through several key capabilities:

  1. Cross-Product visibility & enrichment

Our platform consolidates investigative capabilities into a single dashboard, enabling analysts to trace activity across Microsoft Entra ID, AWS, CrowdStrike, other security and non-security tools from a unified interface. Analysts can investigate cross-products using the encoded knowledge base in the platform, removing barriers of entry for interrogating each resource.  

You can interrogate security and non-security data sources in the environment and branch out to analyze interesting patterns.
  1. Streamlining investigations with pre-built sequences

We've developed facets (pre-configured sequences of relevant investigative questions) that can be applied with a single click. When a suspicious IP is identified, analysts can immediately check its presence across all connected systems, dramatically accelerating the investigation process.

Facets are outcome-focused sequences (or pre-built investigation templates) that help all analysts run best practices for each investigation. This practice saves time and helps make sure the same baseline questions are asked for same type of analyses.
  1. User resource correlation

Command Zero automatically correlates identities across systems, eliminating manual directory lookups. The resource view also shows notes, tags about each user along with previous investigations that the user was involved with. An analyst investigating a potentially compromised Microsoft Entra account can instantly see the corresponding identities in Okta, GitHub, and other connected systems, along with the historical context for this lead.  

You can get the complete current and historical context about leads (such as principal user IDs, IPs, domains, hashes) including. So you can start each investigation with the complete knowledge about subjects in focus.
  1. Baselines for all outcomes

Our facets establish a consistent investigative baseline that all analysts follow, ensuring investigative quality doesn't vary between team members. This standardization creates predictable, reliable outcomes while still allowing individual analysts to build upon this foundation.

Facets empower all analysts by delivering the baselines for them on each analysis, so they can focus on adding their own insights to each investigation, while delivering predictable outcomes in minutes.
  1. Contextual prioritization

Command Zero helps distinguish between high-priority and routine incidents by providing critical context. A super-admin logging in from an unexpected location represents a substantially different risk than an intern accessing systems from their summer house.

Access to all known information about leads helps with prioritization and helps focus on the meaningful patterns for each analysis. For example, the analysis of an Exchange admin can focus more on mail related branches while the investigation focused on a GitHub admin can have more branches focused on GitHub activities.

Conclusion

Risky sign-ins are noteworthy signals in today's identity-centric security landscape. These detection mechanisms identify authentication anomalies that signal potential credential compromise—from impossible travel patterns and password spray attacks to logins from malicious infrastructure.  

As threat actors increasingly target identity systems as their primary attack vector, organizations must evolve beyond basic alerting to implement comprehensive investigation workflows that provide cross-platform visibility and contextual intelligence. By transforming how security teams respond to these critical early warning signals, we enable faster, more decisive action that prevents minor security incidents from escalating into catastrophic breaches.  

The future of effective identity protection lies not merely in detection, but in the orchestrated investigative capabilities that empower security teams to rapidly understand, contain, and remediate identity-based threats before attackers can establish persistence in your environment.  

What sets Command Zero apart when it comes to risky sign-in investigations are our unique combination of an encoded knowledge base, expert LLMs, and automation capabilities. This integrated approach allows for:

  1. Rapid Context Building: Quickly gather and correlate relevant information from across the environment.
  1. Intelligent Analysis: Leverage AI to identify patterns and potential threats that might be missed by traditional rule-based systems.  
  1. Streamlined Workflow: Automate routine tasks while providing powerful tools for in-depth manual investigation when needed. Build rules to guide automation flows to tackle specific case patterns, get verdicts and full reports from autonomous investigations.
  1. Continuous Learning: Our system evolves with each investigation, improving its ability to detect and respond to new threats. The Command Zero security research team builds new questions and facets each week, and your teams can build their own best practices for building institutional knowledge. So, your team learns continuously and improves with every investigation.  

By combining these capabilities, we've created a platform that dramatically improves the efficiency and effectiveness of risky sign-in investigations, enabling security teams to respond faster and with greater confidence to potential identity threats.  

Book a demo with our team to see how Command Zero can transform Microsoft Risky Sign-in investigations and tier-2+ analysis for your organization.

Natalie Dean
Senior Security Researcher

Continue reading

Identity-investigations
Highlight

When Brute Force Still Works: The 80 Billion Credential Problem Nobody's Talking About

Brute force attacks remain a critical threat in 2025, with 80 billion credentials compromised from stealer logs in a single year. Despite modern security controls, credential stuffing attacks succeed because users reuse passwords across services—and threat actors have unprecedented access to breach databases. Security teams struggle to detect these attacks because failed login attempts blend into normal activity, lacking the context to distinguish legitimate user errors from active reconnaissance. In this post, we explore how credential-based attacks exploit password reuse at scale, why traditional security stacks miss these patterns, and what security operations teams can do to investigate and respond effectively. Learn how to correlate authentication logs with breach exposure data, identify high-risk accounts under attack, and implement structured investigation workflows that transform credential threat hunting from manual, time-intensive analysis into standardized, repeatable processes accessible to tier-2+ analysts across your security team.
Eric Hulse
Nov 21, 2025
6
min read
Identity-investigations
Highlight

Investigating Microsoft 365 Direct Send Abuse: When Convenience Becomes a Vulnerability

Microsoft 365 Exchange Online's Direct Send feature has become a critical vulnerability exploited by threat actors for phishing and business email compromise campaigns. This legitimate operational feature bypasses standard email authentication protocols (DKIM, SPF, DMARC), enabling adversaries to send spoofed messages that appear to originate from trusted internal sources. The primary challenge isn't detection—it's investigation complexity. Security operations teams face extensive context switching across Office 365, identity providers, EDR systems, and network infrastructure, often requiring 90+ minutes per incident. Traditional SIEM platforms struggle with these cross-system investigations, particularly for analysts lacking specialized Exchange Online expertise. Command Zero's Custom Questions feature transforms Direct Send investigations from hours to minutes by codifying expert investigative knowledge into automated workflows. This approach enables tier-2 analysts to conduct comprehensive investigations spanning email routing, identity context, and endpoint telemetry without manual correlation—turning investigation bottlenecks into organizational strengths while building institutional knowledge for long-term security resilience.
Eric Hulse
Oct 29, 2025
min read
Identity-investigations
Highlight

Investigating Business Email Compromise: How Modern Attacks Exploit Trust in 2025

Business Email Compromise (BEC) attacks in 2025 have evolved into sophisticated campaigns that exploit Microsoft 365 collaboration tools and organizational trust relationships. Modern attackers use OAuth application abuse, mail flow manipulation, and SharePoint phishing to bypass MFA and establish persistent access. Traditional SOC investigations struggle with fragmented data sources across Microsoft Entra ID, Exchange Online, and SharePoint—requiring complex KQL queries and Graph API expertise that delays incident response. Command Zero's investigation framework solves this by providing pre-built questions that automatically query relevant data sources and map to BEC attack patterns. This approach enables tier-2 analysts to investigate at specialist level without memorizing API endpoints or query languages. Combined with defensive controls like disabling user OAuth consent, implementing phishing-resistant MFA, and monitoring suspicious mail flow patterns, organizations can transform their BEC response from reactive firefighting to proactive threat hunting.
Eric Hulse
Oct 22, 2025
8
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All