Forum Discussion
Are these questionable activities?
Questions on Activity log. I am seeing multiple times that our organization user accounts have an activity from a foreign IP. These IPs range from Nepal, India, UK, Ireland, Mexico, Brazil, Puerto Rico, etc. So, the IPs are all over the place. It affected dozens of users.
I have filtered out cloud provider IP as those activities may be copies of the cloud environment copying to different cloud data centers. These IPs range Ireland, Mexico City, Netherlands. These activities are usually tied to MS Exchange and typically have the cloud icon next to the IP in the activity log screen.
Usually activites like "FilePreviewed: file https://xx"
There are also these:
Run command: task MailItemsAccessed; Parameters: Session ID xxstringxx , property MailAccessType Bind, property IsThrottled False
and
Run command: task Send; Parameters: Session ID xxstringxx
I will admit that I am new to this Defender portal and to cyber.
Am I being too cautious when I see
Run command: task MailItemsAccessed; Parameters: Session ID xxstringxx property MailAccessType Bind, property IsThrottled False
and
Run command: task Send; Parameters: Session ID xxxxstringxx
and
Allow computer to sync files: OneDrive Site Collection
and
CONTENT_ACCESS
and
seeing some MS Exchange stuff from Mexico IP (not sure if this is a cloud thing or not)
I see these from foreign IPs that are not associated to cloud providers and user have not visited those countries. Should i raise an alarm or are the activities associated to cloud activities and thus not an alert? Sorry, again, I am new to this.
3 Replies
I have investigated this same event and confirmed the user was accessing their email on their mobile phone and using an internet service which IP address has a malicious reputation on IPVOID. The alert was triggered because of the IP address reputation.
- My reply is a few days late, but what you are seeing seems pretty typical to VPN connections on personal devices, likely mobile phones. You should be able to correlate that activity to a mobile device. Or, like richrico suggested, ask the users if they us the mobile Outlook app on their phones as well as a personal VPN. I will bet you the answer is yes!
- As much as the activities might seem suspicious, I'd say just contact the user personally. I feel it's always the best approach to confirming suspicious activities. Sometimes certain activities show up with a Microsoft cloud IP. These IPs could be from any geographical location. But don't assume it's a legitimate activity if it has a Microsoft cloud IP anyway. Just confirm with user!!!!!!!!
