Barracuda Finds Malicious Microsoft 365 Logins Are Blending In 

Organizations that rely heavily on failed login attempts to detect account compromise may be missing a growing threat. 

According to recent data from Barracuda, attackers are increasingly using legitimate credentials and trusted-looking infrastructure to successfully access Microsoft 365 environments while blending into normal user activity. 

“Attackers know many security teams are looking for the obvious signs of compromise, so they’re working harder to blend in,” said Merium Khalid, Director of Offensive Security at Barracuda, in an email to eSecurityPlanet.

She explained, “A login from a familiar location or activity associated with a trusted brand can still be risky if the subsequent behavior doesn’t match the user”

Merium added, “Defenders need to connect the dots across identity, endpoint, and network activity because the warning signs appear only after access has been gained.”

Key Takeaways

• According to Barracuda’s data, malicious Microsoft 365 logins from low-risk countries increased by approximately 25% in April 2026.
• Attackers are using VPNs, residential proxies, and legitimate credentials to blend into normal user activity.
• Successful logins often receive less scrutiny than failed authentication attempts, creating opportunities for compromise.
• Traditional indicators such as geographic location and IP reputation are becoming less reliable on their own.
• Monitoring post-login behavior can help identify compromised accounts that appear legitimate at authentication.

Malicious Logins Blend Into Normal Traffic 

Barracuda researchers observed a roughly 25% increase in malicious Microsoft 365 logins originating from low-risk countries such as the United States and the United Kingdom during April 2026. 

The trend highlights how threat actors are adapting their tactics to evade detection by making malicious activity appear indistinguishable from legitimate user behavior.

Rather than relying on infrastructure commonly associated with cybercriminal operations, attackers are increasingly using VPN services, residential proxies, and rotating IP addresses to disguise their true locations. 

These tactics help authentication attempts blend into normal network traffic, reducing the likelihood that geographic-based security controls will flag them as suspicious.

While organizations often focus on identifying brute-force attacks and repeated login failures, successful logins often receive less scrutiny. 

As a result, attackers can gain access to corporate resources without immediately triggering alerts.

In some cases, the credentials used in these types of attacks are obtained through phishing campaigns or infostealer malware.

Why Traditional Login Indicators Are Losing Value 

Barracuda’s findings suggest that traditional indicators such as geographic location and IP reputation are becoming less effective on their own. 

A login originating from a familiar region or trusted network does not necessarily indicate legitimate activity. 

Instead of focusing solely on authentication events, organizations should monitor post-login behaviors such as access from unfamiliar devices, unusual login times, impossible travel, abnormal file access, unauthorized mailbox rule creation, and privilege escalation activity. 

These indicators often provide stronger evidence of compromise and can help identify attackers operating within the environment. 

How to Reduce Identity Risk 

Effective identity security requires a combination of preventive controls, continuous monitoring, and risk-based access decisions. 

• Monitor both successful and failed login attempts and investigate unusual behavior such as new devices, unexpected locations, or abnormal login times.
• Enforce phishing-resistant multifactor authentication (MFA) across all accounts, especially for privileged users.
• Implement Conditional Access and risk-based authentication policies to evaluate user, device, and session risk before granting access.
• Disable legacy authentication protocols and regularly review OAuth application permissions to reduce unauthorized access pathways.
• Correlate identity, endpoint, and network telemetry with threat intelligence to identify suspicious activity and known malicious infrastructure.
• Conduct regular credential hygiene assessments, including reviews for exposed, reused, or compromised passwords, and provide ongoing security awareness training.
• Test incident response plans and use attack simulation tools with scenarios around identity-based attacks.

These measures can help reduce the likelihood and impact of identity-focused attacks. 

Rise of Identity-Based Attacks 

Barracuda’s findings highlight a broader shift toward identity-focused attacks, where threat actors blend into legitimate user activity rather than relying on noisy exploitation techniques. 

For security teams, successful authentication should no longer be treated as proof of trust. 

Effective detection depends on correlating identity, endpoint, and network signals to identify abnormal post-login behavior that may indicate account compromise. 

As identity-based attacks continue to evolve, organizations are turning to zero trust solutions to help reduce the risks associated with compromised credentials.