What is a risky user?

In Microsoft 365, a risky user is a user account that is flagged for exhibiting behaviors or characteristics that suggest it may be compromised or at risk of being compromised. The identification of risky users is part of Microsoft's efforts to enhance security through continuous monitoring and advanced threat detection.

Many risk detection factors are involved in flagging a risky user. See Microsoft's documentation: What are risk detections?

Common risk detection factors

  • Unusual sign-in activity
    • Sign-ins from unusual locations or devices.
    • Multiple failed sign-in attempts, indicating potential brute force attacks.
  • Suspicious behavior
    • Sudden changes in user behavior, such as accessing sensitive data that the user typically does not interact with.
    • Unusual patterns of activity that deviate from the user's normal behavior profile.
  • Known compromised credentials
    • Credentials that have been exposed in data breaches or found on the dark web.
    • Reports of credentials being used by multiple users or from multiple locations simultaneously.
  • Alerts from security systems
    • Detection of malware or other malicious software on the user’s device.
    • Alerts from other security tools integrated with Microsoft 365, indicating potential threats.

Risky user states (Cloud Commander naming conventions)

  • Safe: After investigation, the user account is verified as safe. There is no evidence of compromise or malicious activity. The account is considered secure, and no further immediate actions are needed.
  • Dismissed: The risk alert for the user account has been reviewed and determined to be a false positive or not a significant threat. The alert is dismissed, indicating no further action is required at this time. The account is not considered at risk.
  • Remediated: The security threat associated with the user account has been addressed and resolved. Remediation steps are successfully implemented to mitigate the risk and restore the account to a secure state.
  • At risk: The user account is currently flagged as being at risk based on detected suspicious activities or security alerts. The account has not yet been confirmed as compromised, but further investigation is recommended to determine the severity of the threat.
  • Compromised: The user account is verified as compromised. This confirmation is based on investigation and evidence of malicious activities or unauthorized access. Immediate action is required to mitigate the risk and secure the account.

Related articles

Updated: Jul 09, 2024