How to detect impossible travel in Microsoft 365: Your early warning for credential theft

Impossible travel is a key indicator of account compromise, when login attempts occur from geographically distant locations in a timeframe that defies physical possibility.  

Security Engineer Paul Colon of Addition Financial experienced this firsthand, with a case of impossible travel across multiple staff members when he worked for a past employer.

“A phishing email had been sent that got past our email protections. Users fell for the phish and logged into a fake Office365 site. Just like that, bad guys had their credentials,” said Colon. “We were a full remote operation with limited datacenter bandwidth, so we did not have the luxury of being able to backhaul people's traffic through our datacenter firewalls and limit access to our cloud resources by IP.”

A user logged in from New York, then two minutes later from Tokyo. That alert led Colon to uncover a phishing attack, block the threat, and reset compromised credentials. The next step was investigating whether any sensitive data was accessed or exfiltrated before attackers were blocked.

Why impossible travel matters

Impossible travel alerts aren’t just about unusual activity—they signal an urgent need to act. These types of anomalies often indicate a successful phishing campaign, credential theft, or token misuse. They help organizations catch attacks that would otherwise slip past traditional defenses.

That’s because attackers attempt to mimic legitimate user behavior. Once they have access, they often avoid triggering detection by using stolen tokens or because no detection rules are in place. Impossible travel alerts raise the flags, prompting teams to investigate access history, MFA patterns, and recent activity across apps and mailboxes.

Strengthening your strategy

Organizations can get ahead of these threats by aligning detection with access controls and response workflows. Here are a few key practices:

• Start with baselining: Know what “normal” looks like in your environment—common login locations, devices, and times of access—so deviations stand out.

• Use conditional access policies: Blocking or restricting access by country, device compliance, or session context can reduce the window of opportunity for attackers.

• Opt in for phishing-resistant or passwordless MFA: These modern MFA methods offer stronger protection against credential theft and phishing attacks than traditional approaches. But even with advanced authentication in place, it’s critical to monitor for successful logins from unusual locations or devices and ensure the activity aligns with expected user behavior.

• Enable reporting before enforcing: Running new access rules in report-only mode allows teams to gather data and refine policies without disrupting users.

• Review sign-in logs regularly: Don’t wait for alerts—proactively look for failed logins, unfamiliar geographies, and unusual device patterns, especially in cloud email and collaboration platforms.

Putting it into practice

Colon’s experience shows how quickly a compromise can escalate—and how critical it is to have both proactive and reactive security tools in place. When the impossible travel alert surfaced, he was able to coordinate with his team to identify affected users, reset passwords, and search mailbox activity logs for signs of data access.

With the release of Advanced Anomaly Detection in ThreatLocker Cloud Detect, teams can take this response a step further. The new capability improves detection accuracy by using trusted IPs to reduce false positives for traveling users and extends visibility beyond Microsoft 365 to other cloud applications. It works independently of Microsoft licensing and analyzes log data to pinpoint high-risk anomalies like impossible travel, which often signals account compromise.

Beyond detection, Cloud Detect enables custom policies and automated responses. Whether you want to trigger alerts for unusual login patterns, generate tickets for IT review, or automatically restrict access to compromised accounts, Advanced Anomaly Detection helps your team act faster and with greater confidence against emerging threats.

Want to learn more?

Dive deeper with our webinar series, 100 days to secure your environment.