Office 365 Login Monitor
One of the first indications of attack may be unexpected or repeated login attempts from unusual locations -- even outside the country. An effective defense can be as simple as monitoring for login attempts originating outside the country. Unfortunately, this seemingly simple task is more complicated in a cloud environment.
The Login Monitor tracks login attempts across all customers and alerts you when there is an attempt to log in from a foreign country. You can configure what countries you expect to be using your cloud instances independently for each customer, or even whitelist individual IPs in the configuration settings.
What to Look At
This is a list of people trying to log in to your Office 365 instance. Look at
1. Who is trying to log in?
2. Where are they trying to log in from?
When to Be Scared
If you are getting a large number of login attempts (especially failed login attempts),
If you are getting login attempts from new accounts, accounts with unusual names or names that do not follow your naming conventions, or accounts you have never seen before (when you are familiar with a customer's users),
If you are getting login attempts from countries in which your customer does not have employees; especially Russia, China, or Iran:
If you get login alerts with non-zero reputation detections (i.e. at least one red dot in the circles on the alert),
When to Not Be Scared
If your customer takes business trips to a foreign country and there are a small number of successful logins from that country, it is most likely that this is a legitimate employee accessing the network on a business trip.
If you see logins that occur and unusual times of the day/outside business hours, this could be malicious. However, keep in mind time zones. A login from someone in England that happens at 4 a.m. CT is reasonable, because England is 5-8 hours ahead of North American working hours (depending on Daylight Savings).