Any sign-ins from unusual countries should be investigated as possible breaches. If no business explanation is provided, consider suspending the account until the matter is clarified.
You can configure countries from which sign ins Office Protect will alert you.
Remediation
Validate with the user for a potential breach, accounts can be temporarily disabled through the admin portal until investigated. You can also investigate suspicious account activity directly through the Azure AD portal. If the account potentially compromised was an Admin, look out for other Office Protect events related to this user.
Users that are not in your domain may also cause alerts
Office Protect monitors Sign-Ins to the Azure Active Directory, sign-ins to Exchange and all activities from SharePoint. We are monitoring SharePoint globally because you don’t necessarily have to log in to Azure to perform activities from SharePoint.
This can happen when a user clicks on an anonymous link, a user ID will be automatically generated by Microsoft. This user starts with “urn:spo:anon#”. If the link used from a country that has been listed as unauthorized, Office Protect will alert you.
In Microsoft 365, you can also create links to specific users that are not part of your organization. This is done by using the “Specific People” option when a user shares a file through OneDrive or SharePoint. If the recipient authenticates from an unauthorized country, it will generate an Azure AD Login and Office Protect will alert you. Note that these logins are not available from the Unified Audit Logs nor the Azure AD Logs
About third-party backup software
If your clients are using a third-party backup software for SharePoint and OneDrive, such as Datto or Acronis, these softwares will generate operations that will trigger login activities. Most of the time these logs come from IPs in the United States, from the “app@sharepoint.com” user. Usually, these logins always come from the same IP address.
Office Protect does not whitelist any third parties from our detection system, to ensure that no attack goes unseen. If you want to reduce the number of alerts that you receive from Office Protect for these use cases, we recommend using the Ignore feature.
Our Ignore feature will whitelist any alert with the same combination of IP and user. You will still be able to see the alerts in the Report section of Office Protect, by filtering to Ignored events. Note that it may happen that your software providers change IPs, but it should happen only once every few weeks/months.