Azure AD Account Concurrent Sessions from Different IPs
Detection of Azure AD accounts with concurrent sessions originating from multiple unique IP addresses within a 5-minute window, potentially indicating session hijacking and unauthorized access.
This analytic identifies Azure AD accounts exhibiting concurrent sessions originating from multiple unique IP addresses within a short timeframe. The detection leverages Azure Active Directory NonInteractiveUserSignInLogs to analyze successful authentication events and count distinct source IPs within a 5-minute window. The activity is flagged as suspicious due to the potential for session hijacking, where an attacker uses stolen session cookies (possibly obtained via phishing kits like Evilginx2) to access corporate resources from geographically diverse locations. Successful session hijacking could lead to unauthorized access to sensitive information and potential data breaches. This detection is relevant for organizations using Azure AD for authentication and authorization. The original Splunk query was published on 2026-04-17.
Attack Chain
- Attacker compromises user credentials or obtains session cookies via phishing or other methods (e.g., Evilginx2).
- Attacker initiates a session from a new IP address, potentially outside the user's typical geographic location.
- The user also has a legitimate session active from their usual location.
- Azure AD records successful authentication events from both the attacker's IP and the user's legitimate IP.
- The analytic detects the concurrent sessions from different IP addresses for the same user within a 5-minute window.
- The attacker leverages the hijacked session to access corporate resources, such as email, cloud storage, or internal applications.
- Attacker performs unauthorized actions, potentially including data exfiltration, privilege escalation, or lateral movement.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, including customer information, financial records, and intellectual property. The number of affected users depends on the scale of the initial compromise. Organizations in all sectors are potentially vulnerable. A successful attack may result in financial losses, reputational damage, and regulatory fines due to data breaches.
Recommendation
- Deploy the Sigma rule
Azure AD Concurrent Sessions From Different IPsto your SIEM and tune the threshold (unique_ips > 1) to fit your environment. - Investigate alerts generated by the
Azure AD Concurrent Sessions From Different IPsrule, focusing on users with high-value accounts or access to sensitive data. - Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise.
- Review Azure AD sign-in logs for suspicious activity, such as logins from unfamiliar locations or devices.
- Monitor network traffic for connections to known phishing domains or command-and-control servers, referencing external threat intelligence feeds.
Detection coverage 2
Azure AD Concurrent Sessions From Different IPs
highDetects Azure AD accounts with concurrent sessions originating from multiple unique IP addresses within a 5-minute window, potentially indicating session hijacking.
Azure AD Non-Interactive Login Success
infoDetects successful non-interactive Azure AD logins. Useful for establishing baseline activity.
Detection queries are available on the platform. Get full rules →