Presence is built to understand and identify signs of malicious behavior, whether it's from inside or outside your organization. It develops a clear, contextual understanding of how every user's account normally behaves, so any unusual activity will stand out.
But there are also clear, practical risks that simply need to be surfaced as they happen. For example, admin accounts carry significant weight and need to have safeguards in place to flag compromised accounts at the first sign of misuse. Others are every day, seemingly harmless choices that still introduce unnecessary exposure. Storing passwords in shared documents or using work accounts for personal services may seem minor, but each one creates a small, preventable gap in one's security posture.
To cover both ends of this spectrum, we are introducing two new features to Presence:
Canaries: A built-in alarm that alerts when an admin’s account may be unknowingly in the wrong hands
Low-Risk Events: A 7-day view of low-risk events to help pinpoint areas for strengthening your organization’s security posture
Canaries
Admin accounts are natural targets for attackers. If someone gets in, one of the first things they often do is comb through emails for links or attachments that could give them even more access.
Presence adds an extra layer of protection to every admin account by planting realistic-looking canaries in Outlook. These emails blend seamlessly into everyday activity and are designed to lure in and catch anyone who gains unauthorized access. They:
Are only visible in an admin’s sent mailbox
Look like ordinary emails within your tenant
Contain links that are likely to draw an attacker’s attention
Are added automatically, with no setup required for admins
If someone interacts with a canary by clicking a trap link, Presence immediately notifies your organization that the account may be compromised.
Low-Risk Events
Not every security risk comes from a sophisticated attack or a malicious employee. Often, it’s everyday actions that are well-intentioned or seemingly harmless that leave accounts more exposed than they need to be. Presence now brings these actions together in one place, giving you a clear snapshot of the low-risk events that have introduced small security gaps over the past seven days.
Examples include users storing passwords in shared documents, downloading unsafe content onto the company's network, or using work emails for personal services. On their own, these actions are minor, but each one leaves the kind of opening attackers pay attention to.
A strict seven-day window keeps low-risk events focused on recent behavior instead of historical noise. With fresh, relevant context, small fixes like a quick chat or a minor policy tweak, become easy opportunities to tighten security before issues grow.
A New Way to Stay Ahead
These features give you a clearer view of what’s happening in your organization, helping you stay ahead of potential risks. Canaries alert you the moment an admin account looks to be compromised, while low-risk events highlight areas where small changes could make your team more secure.
Over time, they provide security teams with a realistic, day-to-day picture of activity across the organization, providing the insight needed to intervene early, reinforce good habits, and keep both user and admin accounts safer.
