Skip to content
Threat Feed
high advisory

Geographic Improbable Location Detection

Detection of user logins originating from geographically distant locations within a short timeframe, indicative of potential Remote Employment Fraud or compromised credentials.

This detection identifies "improbable travel" scenarios where a user logs in from two geographically distant locations within a short timeframe, suggesting potential Remote Employment Fraud (REF) or compromised credentials. The analysis focuses on login events for critical applications like Workday, Slack, GlobalProtect, Jira, Atlassian Cloud, and Zoom, using Okta logs as a primary data source. This technique is relevant because REF actors and credential thieves often operate from different locations than the legitimate user, and time zone/geographic inconsistencies can expose fraudulent activity. The detection considers factors like user's work country, travel speed, and distance between login locations to assess the risk. This helps defenders identify suspicious logins that bypass traditional security measures.

Attack Chain

  1. User credentials compromised via phishing or other methods (not directly observed in this detection, but a common precursor).
  2. Attacker establishes initial access from Location A, authenticating to a target application (e.g., Workday) via Okta.
  3. A short time later (minutes to hours), the attacker attempts to access the same or a different application from Location B, potentially on the other side of the world.
  4. The detection analyzes Okta logs and correlates login events based on the user ID, source IP, and timestamp.
  5. Geolocation data (latitude, longitude) is obtained for both login locations based on the source IP addresses.
  6. The distance and travel speed between the two locations are calculated.
  7. If the calculated speed exceeds a defined threshold (e.g., 500 km/h) and distance exceeds a defined threshold (e.g., 750 km), the activity is flagged as suspicious.
  8. The user's work country is compared to the login locations to further assess the risk. If the login locations do not match the user's expected work location, the risk score is increased.

Impact

Successful exploitation of this technique can lead to unauthorized access to sensitive corporate resources, data exfiltration, and financial fraud. Compromised accounts used for Remote Employment Fraud can result in financial losses and reputational damage. While the exact number of victims and sectors targeted are not explicitly mentioned in the source, this type of attack can affect organizations of any size in any sector. A successful attack can result in significant financial losses and legal liabilities.

Recommendation

  • Deploy the Sigma rule Geographic Improbable Location to your SIEM, ensuring it is tuned to account for legitimate VPN usage and remote work scenarios.
  • Investigate any alerts generated by the Geographic Improbable Location rule, focusing on users with high-value accounts and access to sensitive data.
  • Utilize the known_devices_public_ip_filter.csv lookup table (mentioned in the "how_to_implement" section) to exclude known and trusted devices from the detection logic.
  • Monitor Okta logs for failed login attempts preceding improbable travel events to identify potential credential compromise attempts.
  • Implement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.

Detection coverage 2

Geographic Improbable Location

high

Detects user logins originating from geographically distant locations within a short timeframe, indicative of potential Remote Employment Fraud or compromised credentials.

sigma tactics: credential_access techniques: T1078 sources: Authentication, okta

Geographic Improbable Location - ASN Check

high

Detects if a user logs in from two different countries within a short period of time, and also checks if the ASN is different between those logins.

sigma tactics: credential_access techniques: T1078 sources: Authentication, okta

Detection queries are available on the platform. Get full rules →