It would be helpful to include more details about the login in the Escalation (and ideally email) so we can tell if it's a login from an Azure AD Joined or Registered device, or the device is Managed and Compliant. This would allow us to identify how severe the issue is more easily.