Are these questionable activities?

Copper Contributor

Questions on Activity log. I am seeing multiple times that our organization user accounts have an activity from a foreign IP. These IPs range from Nepal, India, UK, Ireland, Mexico, Brazil, Puerto Rico, etc. So, the IPs are all over the place. It affected dozens of users.

 

I have filtered out cloud provider IP as those activities may be copies of the cloud environment copying to different cloud data centers. These IPs range Ireland, Mexico City, Netherlands. These activities are usually tied to MS Exchange and typically have the cloud icon next to the IP in the activity log screen. 

Usually activites like "FilePreviewed: file https://xx"

 

There are also these:

Run command: task MailItemsAccessed; Parameters: Session ID xxstringxx , property MailAccessType Bind, property IsThrottled False

and

Run command: task Send; Parameters: Session ID xxstringxx

 

 

I will admit that I am new to this Defender portal and to cyber.

 

Am I being too cautious when I see

Run command: task MailItemsAccessed; Parameters: Session ID xxstringxx property MailAccessType Bind, property IsThrottled False

and

Run command: task Send; Parameters: Session ID xxxxstringxx 

and

Allow computer to sync files: OneDrive Site Collection

and

CONTENT_ACCESS

and

seeing some MS Exchange stuff from Mexico IP (not sure if this is a cloud thing or not)

 

I see these from foreign IPs that are not associated to cloud providers and user have not visited those countries. Should i raise an alarm or are the activities associated to cloud activities and thus not an alert? Sorry, again, I am new to this.

3 Replies
As much as the activities might seem suspicious, I'd say just contact the user personally. I feel it's always the best approach to confirming suspicious activities. Sometimes certain activities show up with a Microsoft cloud IP. These IPs could be from any geographical location. But don't assume it's a legitimate activity if it has a Microsoft cloud IP anyway. Just confirm with user!!!!!!!!
My reply is a few days late, but what you are seeing seems pretty typical to VPN connections on personal devices, likely mobile phones. You should be able to correlate that activity to a mobile device. Or, like richrico suggested, ask the users if they us the mobile Outlook app on their phones as well as a personal VPN. I will bet you the answer is yes!

@HathMH 

I have investigated this same event and confirmed the user was accessing their email on their mobile phone and using an internet service which IP address has a malicious reputation on IPVOID. The alert was triggered because of the IP address reputation.