Anomalous Token & activity from Microsoft

Copper Contributor



I am trying to understand the following activity.


I have had a few users in my organization flagged as a "Risky User" due to an anomalous token. This is normally supposed to flag if a users session token is stolen and replayed.

Upon investigating the flagged sign ins, the IP addresses used for these are within Microsoft's Exchange Online IP range. Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs


It is also common to see these as non-interactive sign ins.


I am trying to understand why there would be a sign in from a Microsoft Exchange Online IP address to one of our accounts that would be attempting to use a token from a users client as per the error message reported?

Is there a service running in Exchange Online I am not aware of that signs in on the users behalf? Why would it be using a token granted to a users device?


I have also noticed consistent activity from these IP addresses in Cloud App Security.



Any help or clarification would be greatly appreciated!


Kind Regards,







1 Reply
We get these all the time as well. Its not explained well. You will often times see these as non interactive, from an IP address they do not use but using the same registered device as usual. I believe some of this is related to the fact that using the IP address is not always a reliable means of determining fraudulent activity. I look at the device and then lookup the IP to see where its registered. Most times one of the hits is a mobile carrier. I then look at their interactive sign in history for anything that is off pattern. I then dismiss the user risk if I see nothing unusual. I wish this worked better because I think the risk user's function generates a lot of false positives and noise.