All posts
cybersecurity

Investigating Suspicious Login Activity: A Small Lab

6 July 2026 4 min read
incident responselog analysisauthenticationsecurity operationsaccount security
Investigating Suspicious Login Activity: A Small Lab

Investigating Suspicious Login Activity: A Small Lab

Suspicious login activity is one of the most common things an IT or security team may need to review.

A failed login does not always mean something bad happened.

People mistype passwords. Devices retry old passwords. Apps break. Users forget they changed their password.

But some login patterns need attention.

For this lab, I used a simple scenario:

A user account had several failed login attempts, followed by a successful login.

The goal was to work through the event like a small incident investigation.

The Scenario

The account showed this pattern:

  1. Failed login
  2. Failed login
  3. Failed login
  4. Successful login

That pattern does not prove compromise.

But it does raise questions.

Was the user typing the wrong password?
Was someone guessing the password?
Did an attacker get in?
Did MFA stop the attempt?
Was the successful login from a known device?

The job is to collect evidence before making a decision.

Step 1: Collect the Basic Details

The first step is to gather the facts.

Useful details include:

  • Username
  • Time of each login attempt
  • Failed or successful result
  • Source IP address
  • Location
  • Device name
  • Browser or app used
  • MFA result
  • Any error codes

These details help build a clear picture.

Without them, the investigation becomes guesswork.

Step 2: Build a Timeline

A timeline makes the activity easier to understand.

Example:

TimeEventNotes
9:14 AMFailed loginFirst failed attempt
9:15 AMFailed loginSame user
9:16 AMFailed loginSame source
9:17 AMSuccessful loginNeeds review
9:20 AMFile accessCheck if normal

The timeline helps show whether the events are linked.

It also helps explain the issue to another person.

Step 3: Check the Context

Logs are useful, but they need context.

I would check:

  • Was the user working at that time?
  • Was the login from their normal location?
  • Was the device known?
  • Did MFA pass?
  • Was the login from a strange country?
  • Were other users targeted?
  • Was the account an admin account?

The same login event can have a different risk level based on context.

A failed login from a known office device may be low risk.

A successful login from an unknown country at 2 AM may be high risk.

Step 4: Check What Happened After Login

If the login looks suspicious, the next step is to check what happened after it.

Things to review:

  • Password changes
  • MFA changes
  • New inbox rules
  • Mailbox forwarding
  • File downloads
  • New device registrations
  • Permission changes
  • Admin actions
  • Access to sensitive data

Attackers often make changes after they get access.

A login event is only the start of the review.

Step 5: Decide the Risk

A simple risk table can help.

EvidenceRisk
One failed loginLow
Many failed loginsMedium
Success after many failuresMedium
Unknown locationHigh
MFA failedLower
MFA passed from unknown deviceHigh
Admin account involvedHigh

The risk rating should match the evidence.

Do not call something a breach without proof.

Do not ignore clear warning signs either.

Step 6: Recommend Actions

If the activity looks suspicious, I would recommend actions like:

  • Contact the user
  • Reset the password
  • Revoke active sessions
  • Check MFA methods
  • Review mailbox rules
  • Check recent file access
  • Review the user’s device
  • Watch for more login attempts
  • Escalate if sensitive access occurred

The action depends on the risk.

What This Lab Shows

This lab is small, but it shows a real security process.

The key steps are:

  • Collect evidence
  • Build a timeline
  • Check context
  • Look for follow-on activity
  • Rate the risk
  • Document the response

Conclusion

Suspicious login events need a calm process.

A failed login is not always an incident. A successful login after many failures is worth checking.

The most important skill is not using a specific tool.

The important skill is knowing how to ask the right questions, collect evidence, and explain what should happen next.


Comments