Who’s Using a Proxy or VPN in Your M365 Environment — and Why It Matters

In today’s threat landscape, knowing where users log in from — and whether they’re behind a VPN, proxy, or data center IP — is crucial. But not all proxy use is malicious. In fact, a lot of it is completely benign.

That’s where most tools fall short: they either over-alert or under-contextualize. Petra doesn’t.

------------------------------------------------------------------------------------------------------------

🧠 Petra’s Approach: Context First, Always

Petra Security was built to detect real account compromises, not generate noise. It doesn’t just flag every VPN or proxy login — instead, it performs deep analysis to distinguish legitimate user behavior from suspicious patterns.

Yes, some attackers use VPNs. But so do:

• Traveling executives

• Remote employees

• Third-party contractors

• Mobile users switching networks

Petra understands that — and separates harmless VPN use from actual threats. But here’s the

cool part: even benign usage is logged, preserved, and made instantly accessible for analysis.

🔍 Two Powerful Ways to Investigate VPN and Proxy Use in Petra

Whether you're investigating an incident or just trying to understand user access trends, Petra offers two main methods:

📊 1. Reporting Interface — for Stakeholder-Friendly Insights

Want a fast, clean way to see who logged in from a proxy or data center?

Here’s how:

• Go to your tenant (top left corner)

• Click the Reporting tab

• Open the Uncommon Activity sub-tab

• Filter by Type: Proxy and Data Center Use

You’ll get a list of users who accessed the environment through proxies, along with:

• Timestamp of the event

• User details

• IP, ISP, and data center provider info

  
  

Perfect for quick reviews and sharing with stakeholders during audits or reviews.

🧠 2. Logs Viewer — for Deep Dive Investigations

For analysts or incident responders, Petra’s Activity Viewer (aka Logs Viewer) is where the real power lies.

To investigate proxy use deeply:

• Navigate to the tenant’s main dashboard

• Scroll to the Activity panel

• Apply these filters:

  • Proxy: Yes — to isolate proxy traffic

  • Login Status: Successful — to focus on real accesses

Now you’re seeing every successful login that came through a proxy.

🔧 Advanced Filtering at Your Fingertips

Want to pivot quickly? Petra makes it seamless:

• Filter by User:Right-click a username → Include — focuses only on that user

• Filter by ISP or Provider:Right-click an ISP (like Cloudflare or DigitalOcean) → Exclude — remove known-good noise

  

• Combine with other fields like Country, Device Type, Operating System, or Login Method for laser-focused investigations

This flexibility is what makes Petra such a powerful forensic tool — whether you're doing routine monitoring or full-scale IR.

------------------------------------------------------------------------------------------------------------

🛡️ What About Malicious VPN Use?

Petra does classify suspicious VPN/proxy activity as an incident — when it detects behavioral anomalies or infrastructure overlap with known threats.

But for everything else — including normal, repeated proxy use — Petra keeps a record, provides deep context, and lets you make the final call based on full visibility.

------------------------------------------------------------------------------------------------------------

🔍 Final Thought

You can’t detect identity compromise without understanding how users are connecting. Petra’s approach to VPN and proxy detection is smart, contextual, and deeply investigable — without the noise or guesswork.

--------------------------------------------------------------------------------------------------------

https://www.cyberengage.org/post/sharepoint-and-onedrive-logs-in-m365-the-goldmine-you-re-overlooking-with-a-hidden-twist

--------------------------------------------------------------------------------------------------------