Home

Liki login

%3CLINGO-SUB%20id%3D%22lingo-sub-917491%22%20slang%3D%22en-US%22%3ELiki%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917491%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20business%20is%20using%20Office%20365.%20Since%20yesterday%20on%20of%20our%20accounts%20has%20logged%20in%20through%20an%20application%20called%20'%3CSPAN%3EOffice%20Online%20Client-%20Loki'.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20this%20the%20malware%20LokiBot%2C%20or%20is%20it%20something%20that%20is%20normal%20for%20Office%20365%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESorry%20if%20this%20is%20not%20the%20right%20forum%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-917491%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
ariebombarie
Occasional Visitor

Hi, 

 

My business is using Office 365. Since yesterday on of our accounts has logged in through an application called 'Office Online Client- Loki'. 

 

Is this the malware LokiBot, or is it something that is normal for Office 365?

 

Thanks in advance 

 

Sorry if this is not the right forum

1 Reply

@ariebombarie 

Loki is listed in the URL's for Delve, It could that.

On the site https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges, You can see the following URL's*.loki.delve.office.com, loki.delve.office.com, loki.delve-gcc.office.com, lpcres.delve.office.com.

 

However, the best option, if you are unsure, is to check which users have logged in. In AzureAD scroll down to the Sign-Ins and find which user attempted to connect with Loki. Click on the sign-in event and check where the user logged in from. If it was from a location/IP you know then you can run some AV/Malware tools over the user's workstations. If you don't know the IP/Location then I would start looking at resting the user's password, enabling MFA as well as scanning their PC.

 

If you have Microsoft Defender ATP, you can check cloud app security and seen of the user's PC has been infected as well.

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies