Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

Suspicious User Playbook

Suspicious User Playbook

Structured approach to investigating potentially compromised or malicious user accounts.

Last updated: February 2026

Purpose and Scope

User accounts are prime targets for attackers. Whether compromised through phishing, credential stuffing, or insider threat, suspicious account activity requires thorough investigation. This playbook provides a systematic approach to investigating user accounts flagged by alerts, anomaly detection, or reports.

Prerequisites

  • Identity logs: Authentication events from AD, Azure AD, Okta, or identity provider
  • Email logs: Sign in activity, inbox rules, sent messages
  • Endpoint telemetry: Process execution, network connections from user sessions
  • HR/Directory data: User role, department, manager, expected behavior
  • Network logs: VPN, proxy, firewall activity attributed to user
  • Cloud audit logs: SaaS application activity

Investigation Triggers

Common reasons to investigate a user account:

  • Impossible travel alert (logins from distant locations)
  • Password spray or brute force target
  • Unusual sign in properties (new device, browser, location)
  • Privilege escalation activity
  • Mass file access or download
  • Suspicious email rules or forwarding
  • Off hours access to sensitive systems
  • Manager or user report of suspicious activity
  • Threat intelligence match (credentials in breach database)

Investigation Workflow

1. Gather User Context

Before analyzing activity, understand the user:

  • Job role and department
  • Normal working hours and location
  • Systems and applications they typically access
  • Recent changes (new hire, role change, termination pending)
  • Any recent travel or remote work changes

2. Review Authentication Timeline

Build a timeline of recent authentication events:

  • Successful and failed login attempts
  • Source IPs and geolocations
  • Devices and user agents
  • MFA status (prompted, passed, bypassed)
  • Authentication methods used

3. Check for Impossible Travel

Calculate if authentication locations are physically possible:

  • Time between logins from different locations
  • Distance between locations
  • Account for VPN, proxy, or mobile network inaccuracies
  • Consider legitimate travel (check calendar if available)

4. Examine Session Activity

After authentication, what did the user do:

  • Applications accessed
  • Files viewed, downloaded, or modified
  • Email activity (sent, forwarded, rules created)
  • Privilege usage (admin actions, elevated access)
  • Data volume accessed or transferred

5. Review Email Compromise Indicators

For suspected email compromise:

  • New inbox rules (especially forwarding or deleting)
  • Sent items to unusual recipients
  • Password reset requests sent from the account
  • OAuth app consents granted
  • Mailbox delegation changes

6. Correlate with Endpoint Activity

If the user has endpoint telemetry:

  • Process execution during suspicious sessions
  • Network connections to unusual destinations
  • File system activity (staging, compression)
  • Browser history and downloads
  • Credential access attempts

7. Contact the User

When appropriate, verify with the user:

  • Did they perform the flagged activity?
  • Were they traveling or using VPN?
  • Did they receive any phishing messages?
  • Did they share credentials or click suspicious links?

Use out of band communication (phone call) if compromise is suspected.

Investigation Queries

Authentication Timeline

Splunk (Azure AD):

index=azure_ad sourcetype=azure:aad:signin user_principal_name="[email protected]"
| sort _time
| table _time, user_principal_name, src_ip, location, app_display_name, result_type, device_detail, mfa_detail

Failed Authentication Attempts

index=azure_ad sourcetype=azure:aad:signin user_principal_name="[email protected]" result_type!=0
| stats count by result_type, result_description, src_ip
| sort -count

Impossible Travel Detection

index=azure_ad sourcetype=azure:aad:signin result_type=0
| sort user_principal_name, _time
| streamstats current=f last(_time) as prev_time, last(location) as prev_location, last(src_ip) as prev_ip by user_principal_name
| eval time_diff_hours = (_time - prev_time) / 3600
| where time_diff_hours < 2 AND location != prev_location
| table _time, user_principal_name, src_ip, location, prev_ip, prev_location, time_diff_hours

Email Forwarding Rules

O365 Audit:

index=o365 sourcetype=o365:management:activity Operation IN ("New-InboxRule", "Set-InboxRule", "Set-Mailbox")
UserId="[email protected]"
| table _time, Operation, Parameters, ClientIP

Mass File Access

index=o365 sourcetype=o365:management:activity Workload=SharePoint Operation IN ("FileAccessed", "FileDownloaded")
UserId="[email protected]"
| bucket _time span=1h
| stats count as file_count, dc(SourceFileName) as unique_files by _time
| where file_count > 50

OAuth Application Consents

index=azure_ad sourcetype=azure:aad:audit Category="ApplicationManagement"
ActivityDisplayName="Consent to application"
| search InitiatedBy.user.userPrincipalName="[email protected]"
| table _time, TargetResources{}.displayName, InitiatedBy.user.userPrincipalName

Compromise Indicators

Strong Indicators

  • Login from location user has never been
  • Inbox rules forwarding to external address
  • Password changed without user initiation
  • MFA registered from unknown device
  • Mass email sent to external recipients
  • OAuth consent to suspicious application

Moderate Indicators

  • Login from new device or browser
  • Access to systems outside normal role
  • Off hours activity increase
  • Failed MFA followed by successful login
  • Password reset request

Weak Indicators (Context Dependent)

  • Login from mobile network (changing IP)
  • Access from VPN or Tor (could be legitimate)
  • Single unusual login location (could be travel)

Response Actions

Confirmed Compromise

  1. Disable or reset user credentials immediately
  2. Revoke active sessions and tokens
  3. Remove suspicious inbox rules and forwarding
  4. Revoke OAuth application consents
  5. Review and remove unauthorized MFA devices
  6. Scan endpoints for malware if accessed
  7. Review what data was accessed
  8. Notify affected parties if data was exposed

Suspected Compromise

  1. Force password reset on next login
  2. Require MFA reauthentication
  3. Increase monitoring on the account
  4. Contact user for verification
  5. Review account for unauthorized changes

False Positive

  1. Document investigation findings
  2. Update detection logic if needed
  3. Add to known travel or exception list if appropriate

Documentation

Record for each investigation:

  • User account investigated
  • Investigation trigger (alert, report)
  • Timeline of suspicious activity
  • Evidence collected (screenshots, log excerpts)
  • User contact and response
  • Classification (compromised, suspicious, benign)
  • Actions taken
  • Follow up required

References

  • MITRE ATT&CK: Valid Accounts (T1078)
  • MITRE ATT&CK: Email Collection (T1114)
  • MITRE ATT&CK: Account Manipulation (T1098)
  • Microsoft: Investigate compromised accounts
  • CISA: Detecting Post-Compromise Threat Activity in Microsoft Cloud
  • Google Workspace: Investigate user activity

Previous

Suspicious Domain Playbook

Next

Chrome Extension

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ