Microsoft services have fully recovered from the degraded M365 sign-in audit log delivery, and Abnormal services have also recovered as of 09:41 UTC on May 30, 2026. Abnormal engineering has initiated a reprocess to ensure all Account Takeover detections from the impacted time window are properly processed. No sign-in data was lost during this event. If you experience any further issues, please reach out to Abnormal support at support@abnormalsecurity.com.
Posted May 30, 2026 - 09:14 PDT
Update
Microsoft has confirmed the root cause of the degraded M365 sign-in audit log delivery has been fixed and services are currently recovering. Microsoft estimates full recovery within approximately 7 hours. Once Microsoft services complete recovery, Abnormal expects Account Takeover detection to begin processing normally and will work through the backlog of sign-in events from this incident. No data has been lost. Abnormal will post a final resolved update once Microsoft confirms full restoration and backlog processing is complete.
Posted May 29, 2026 - 15:43 PDT
Identified
Microsoft has confirmed that the degraded delivery of M365 sign-in audit logs was caused by a power event in their West US 2 datacenter, which began at 04:27 UTC on May 29, 2026. Microsoft has reported that their service is on a recovery path and is currently processing the accumulated backlog, including sign-in stream data. As a result, customers using Account Takeover detection with Microsoft M365 may continue to experience delays in the creation of detection cases based on sign-in activity until the backlog is fully consumed. No sign-in data has been lost, and Abnormal has adjusted processing to account for the delay and ensure no detections are missed. All other Account Takeover data sources continue to operate at full capacity. Abnormal will continue to monitor and provide a further update once Microsoft confirms full recovery. If you have any questions, please reach out to Abnormal support at support@abnormalsecurity.com.
Posted May 29, 2026 - 15:23 PDT
Update
We are continuing to investigate this issue.
Posted May 29, 2026 - 08:31 PDT
Investigating
Starting at 04:27 UTC on May 29, 2026, Microsoft is experiencing degraded delivery of M365 sign-in audit logs due to an issue on Microsoft's infrastructure. As a result, customers using Account Takeover detection with Microsoft M365 may see a delay of up to 90 minutes in the creation of detection cases based on sign-in activity. No sign-in data is being lost, and Abnormal has adjusted processing to account for the delay and ensure no detections are missed. All other Account Takeover data sources continue to operate at full capacity. Abnormal is actively monitoring the situation and will provide updates as it evolves. If you have any questions, please reach out to Abnormal support at support@abnormalsecurity.com.
Posted May 29, 2026 - 08:25 PDT
This incident affected: Account Takeover Service (ATO) and Abnormal Gov (Account Take Over (ATO)(Fedramp)).