Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers. These tools collect credentials and other information from browser records, key presses, email and instant messages, voice and video conversations, and screenshots. They are used in cyber attacks to establish control and steal information. Microsoft has access to cyber-intelligence that allows them to scan for stolen credentials (from mass databases listing the information obtained from previous breaches), and if any are detected in use against your tenant (via Azure AD), it can alert and take immediate action to protect the identity by enforcing additional authentication checks (look up Azure AD Identity Protection for more details).