Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Origins of leaked cred alarm

Occasional Contributor



Just wondering if any one know how to dig out more information when the Leaked Credential alarm is raised. Trying to figure out the source of the alarm so we can do some more focused hunting, and managers\clients tend to like this information.


John L

3 Replies

Hi @jlouden 


This alert comes from Azure AD Identity Protection that we now expose in the MCAS SecOps portal preview.

This is an offline detection described here:


Have a great day!

Hey @Sebastien Molendijk 


We got the alarm, but what is missing is where Microsoft Security spotted the cred's in the first place. While I'm not a massive fan of attribution, aka blaming state actor abc, I think having a process to understand where the alert came from will assist in a preventative and hunting activities.


Could I log a support case with Azure to find out where this information came from,?




best response confirmed by jlouden (Occasional Contributor)

As explained before, this is an Azure AD Identity Protection detection, not an MCAS one.
I don't think AAD exposes the exact location on the Dark Web where they identify those credentials. You can open a support request for AAD to confirm if you want to.

Best regards