I have seen a couple instances of a suspicious session alert that references a second session for a user a few minutes after a normal login. The first session shows the user’s normal location, and the second session (in two alert instances) shows this:
| Registrant | Microsoft Azure |
| Location | Singapore, SG |
| Host Name | unknown |
| User Agent | MSOCS |
| Service Name | Box for Microsoft Office (Desktop) |
This looks like a session that may be created by the Box for Msft Office function, but the fact that Box Shield is flagging it as a suspicious session makes me wonder. Has anyone else seen this type of alert, and determined whether it is innocuous or malicious?
