I am trying to understand the following activity.
I have had a few users in my organization flagged as a "Risky User" due to an anomalous token. This is normally supposed to flag if a users session token is stolen and replayed.
Upon investigating the flagged sign ins, the IP addresses used for these are within Microsoft's Exchange Online IP range. Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs
It is also common to see these as non-interactive sign ins.
I am trying to understand why there would be a sign in from a Microsoft Exchange Online IP address to one of our accounts that would be attempting to use a token from a users client as per the error message reported?
Is there a service running in Exchange Online I am not aware of that signs in on the users behalf? Why would it be using a token granted to a users device?
I have also noticed consistent activity from these IP addresses in Cloud App Security.
Any help or clarification would be greatly appreciated!