However, the best option, if you are unsure, is to check which users have logged in. In AzureAD scroll down to the Sign-Ins and find which user attempted to connect with Loki. Click on the sign-in event and check where the user logged in from. If it was from a location/IP you know then you can run some AV/Malware tools over the user's workstations. If you don't know the IP/Location then I would start looking at resting the user's password, enabling MFA as well as scanning their PC.
If you have Microsoft Defender ATP, you can check cloud app security and seen of the user's PC has been infected as well.