Skip to content
Threat Feed
high advisory

Azure AD Account Concurrent Sessions from Different IPs

Detection of Azure AD accounts with concurrent sessions originating from multiple unique IP addresses within a 5-minute window, potentially indicating session hijacking and unauthorized access.

This analytic identifies Azure AD accounts exhibiting concurrent sessions originating from multiple unique IP addresses within a short timeframe. The detection leverages Azure Active Directory NonInteractiveUserSignInLogs to analyze successful authentication events and count distinct source IPs within a 5-minute window. The activity is flagged as suspicious due to the potential for session hijacking, where an attacker uses stolen session cookies (possibly obtained via phishing kits like Evilginx2) to access corporate resources from geographically diverse locations. Successful session hijacking could lead to unauthorized access to sensitive information and potential data breaches. This detection is relevant for organizations using Azure AD for authentication and authorization. The original Splunk query was published on 2026-04-17.

Attack Chain

  1. Attacker compromises user credentials or obtains session cookies via phishing or other methods (e.g., Evilginx2).
  2. Attacker initiates a session from a new IP address, potentially outside the user's typical geographic location.
  3. The user also has a legitimate session active from their usual location.
  4. Azure AD records successful authentication events from both the attacker's IP and the user's legitimate IP.
  5. The analytic detects the concurrent sessions from different IP addresses for the same user within a 5-minute window.
  6. The attacker leverages the hijacked session to access corporate resources, such as email, cloud storage, or internal applications.
  7. Attacker performs unauthorized actions, potentially including data exfiltration, privilege escalation, or lateral movement.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, including customer information, financial records, and intellectual property. The number of affected users depends on the scale of the initial compromise. Organizations in all sectors are potentially vulnerable. A successful attack may result in financial losses, reputational damage, and regulatory fines due to data breaches.

Recommendation

  • Deploy the Sigma rule Azure AD Concurrent Sessions From Different IPs to your SIEM and tune the threshold (unique_ips > 1) to fit your environment.
  • Investigate alerts generated by the Azure AD Concurrent Sessions From Different IPs rule, focusing on users with high-value accounts or access to sensitive data.
  • Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise.
  • Review Azure AD sign-in logs for suspicious activity, such as logins from unfamiliar locations or devices.
  • Monitor network traffic for connections to known phishing domains or command-and-control servers, referencing external threat intelligence feeds.

Detection coverage 2

Azure AD Concurrent Sessions From Different IPs

high

Detects Azure AD accounts with concurrent sessions originating from multiple unique IP addresses within a 5-minute window, potentially indicating session hijacking.

sigma tactics: credential_access techniques: T1185 sources: network_connection, azure

Azure AD Non-Interactive Login Success

info

Detects successful non-interactive Azure AD logins. Useful for establishing baseline activity.

sigma tactics: credential_access techniques: T1185 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →