Techniques for detecting fraudulent account usage without accessing user content associated with user accounts are disclosed herein. In one embodiment, a method includes receiving a report indicating fraudulent account usage related to an account of the computing service and in response to the received report, disallowing access to any content items associated with the account without disabling access to the account. While access to the content items is disallowed, collecting usage data related to the account or the content items and developing a model representing an activity profile of accessing the account or the content items. The method further includes detecting additional fraudulent account usage based on the developed model without scanning content items in the additional accounts.