FAQ
If the password is shown in the alert, make sure to change it everywhere it is being used.
In that case, there is usually no need for action. You are welcome to keep the alert for documentation, but it is typically not a sign of a current issue.
Change the password immediately, including on any other services where the same password may have been used.
It means that our monitoring has detected an email address, IP address, or other information that can be linked to your domain in data that has previously been leaked, shared, or sold online.
This could be information from:
It does not necessarily mean that your current email account or Microsoft 365 environment has been compromised.
Not necessarily.
A Dark Web finding means that information related to your domain has been found somewhere where compromised data is shared, collected, or sold. It may come from a completely different service that an employee previously used with their work email address.
For example:
An employee may have used their work email to create an account on an external website. If that website is later affected by a data breach, the email address -and possibly a password – may appear in a leaked database, even though your Microsoft 365 account has not been compromised.
This happens quite often.
Our Dark Web monitoring sends an alert if an email address using your domain appears in leaked data, combolists, or similar sources. This does not necessarily mean that there is an active mailbox in your company with that address.
It may be:
If the email address does not exist in your Microsoft 365 environment, and there are no signs of misuse, there is usually no need for further action.
If the user has been properly removed and the account is no longer active, this is normally not an urgent issue.
However, we still recommend checking whether:
If the account has been closed, the license removed, and access has been disabled, the risk is usually limited.
Then the finding is most likely related to an address that was generated, collected, guessed, or added to a list without ever being a real active account.
This can happen because lists of compromised data often contain mixed information. Some data is real, while other data may be old, duplicated, misspelled, automatically generated, or linked to previous systems.
If the address does not exist in your environment, and we cannot see any signs of activity in Microsoft 365, everything is generally fine.
A combination list — often called a combolist — is a list of usernames/email addresses and passwords that has typically been compiled from several different data breaches, forums, paste sites, or previously compromised datasets.
This means the list does not necessarily come from one specific attack against your company.
In many cases, combolists contain reused credentials from older exposures or other leaked datasets.
Sometimes the source of a finding cannot be disclosed or identified.
This may be because:
In other words, “Not disclosed” does not automatically mean that the finding is more serious. It often simply means that the original source cannot be confirmed.
The alert may include two different dates:
This is the date when the information appears to have been found or registered in a leaked source.
This is the date when the finding was added to the monitoring platform and became visible to us.
This means that a finding can be old, even if the alert has only just been sent.
If the password mentioned in the alert is still being used anywhere, it should be changed immediately.
This applies to:
Never use the same password across multiple services.
We also recommend enabling multi-factor authentication wherever possible.
If the password is no longer used anywhere, there is usually no need for urgent action.
However, we still recommend that you:
Old passwords can still be useful to attackers if they try to guess password patterns or attempt access to other services.
You do not necessarily need to reply if:
If you are unsure, you are always welcome to contact us.
It is especially relevant to contact us if:
Yes.
If you contact us, we can help check whether the email address exists in your Microsoft 365 environment and whether there are any signs of suspicious activity.
We can check, for example:
We send these alerts to help you react quickly if information related to your domain appears in leaked datasets.
The purpose is not to cause unnecessary worry, but to give you the opportunity to take action if the information is still relevant.
In many cases, everything is fine especially if the address is old, the account has been closed, or the password is no longer used. But if the information is still active, a quick response can make a big difference.
As a minimum, we recommend that you:
Cybersecurity is rarely about one single solution. It is about reducing risk over time and responding quickly when something needs attention.
We are always happy to hear from you. All questions are welcome.
For at give dig den bedste oplevelse bruger vi teknologier som cookies til at lagre og/eller få adgang til oplysninger på din enhed. Ved at give samtykke til disse teknologier kan vi behandle data såsom din browsingadfærd eller unikke ID’er på dette website. Hvis du ikke giver samtykke eller trækker dit samtykke tilbage, kan det påvirke visse funktioner og muligheder på sitet.