Investigating Suspicious Login Activity: A Small Lab
Investigating Suspicious Login Activity: A Small Lab
Suspicious login activity is one of the most common things an IT or security team may need to review.
A failed login does not always mean something bad happened.
People mistype passwords. Devices retry old passwords. Apps break. Users forget they changed their password.
But some login patterns need attention.
For this lab, I used a simple scenario:
A user account had several failed login attempts, followed by a successful login.
The goal was to work through the event like a small incident investigation.
The Scenario
The account showed this pattern:
- Failed login
- Failed login
- Failed login
- Successful login
That pattern does not prove compromise.
But it does raise questions.
Was the user typing the wrong password?
Was someone guessing the password?
Did an attacker get in?
Did MFA stop the attempt?
Was the successful login from a known device?
The job is to collect evidence before making a decision.
Step 1: Collect the Basic Details
The first step is to gather the facts.
Useful details include:
- Username
- Time of each login attempt
- Failed or successful result
- Source IP address
- Location
- Device name
- Browser or app used
- MFA result
- Any error codes
These details help build a clear picture.
Without them, the investigation becomes guesswork.
Step 2: Build a Timeline
A timeline makes the activity easier to understand.
Example:
| Time | Event | Notes |
|---|---|---|
| 9:14 AM | Failed login | First failed attempt |
| 9:15 AM | Failed login | Same user |
| 9:16 AM | Failed login | Same source |
| 9:17 AM | Successful login | Needs review |
| 9:20 AM | File access | Check if normal |
The timeline helps show whether the events are linked.
It also helps explain the issue to another person.
Step 3: Check the Context
Logs are useful, but they need context.
I would check:
- Was the user working at that time?
- Was the login from their normal location?
- Was the device known?
- Did MFA pass?
- Was the login from a strange country?
- Were other users targeted?
- Was the account an admin account?
The same login event can have a different risk level based on context.
A failed login from a known office device may be low risk.
A successful login from an unknown country at 2 AM may be high risk.
Step 4: Check What Happened After Login
If the login looks suspicious, the next step is to check what happened after it.
Things to review:
- Password changes
- MFA changes
- New inbox rules
- Mailbox forwarding
- File downloads
- New device registrations
- Permission changes
- Admin actions
- Access to sensitive data
Attackers often make changes after they get access.
A login event is only the start of the review.
Step 5: Decide the Risk
A simple risk table can help.
| Evidence | Risk |
|---|---|
| One failed login | Low |
| Many failed logins | Medium |
| Success after many failures | Medium |
| Unknown location | High |
| MFA failed | Lower |
| MFA passed from unknown device | High |
| Admin account involved | High |
The risk rating should match the evidence.
Do not call something a breach without proof.
Do not ignore clear warning signs either.
Step 6: Recommend Actions
If the activity looks suspicious, I would recommend actions like:
- Contact the user
- Reset the password
- Revoke active sessions
- Check MFA methods
- Review mailbox rules
- Check recent file access
- Review the user’s device
- Watch for more login attempts
- Escalate if sensitive access occurred
The action depends on the risk.
What This Lab Shows
This lab is small, but it shows a real security process.
The key steps are:
- Collect evidence
- Build a timeline
- Check context
- Look for follow-on activity
- Rate the risk
- Document the response
Conclusion
Suspicious login events need a calm process.
A failed login is not always an incident. A successful login after many failures is worth checking.
The most important skill is not using a specific tool.
The important skill is knowing how to ask the right questions, collect evidence, and explain what should happen next.