Skip to content
Threat Feed
high advisory

M365 or Entra ID Identity Sign-in from a Suspicious Source

Correlates successful Entra ID or Microsoft 365 sign-in events with network security alerts based on the source IP address, indicating potential initial access from suspicious sources.

This threat brief addresses the risk of compromised credentials being used to access Microsoft 365 (M365) or Entra ID environments from suspicious network locations. The Elastic detection rule "M365 or Entra ID Identity Sign-in from a Suspicious Source," published on 2026-04-10, correlates successful sign-in events with network security alerts triggered by the same source IP address. This correlation helps identify instances where an adversary might trigger a network alert (e.g., reputation-based or anomaly detection) before successfully authenticating to cloud resources. The rule focuses on identifying initial access attempts and is designed to detect activity that deviates from normal user behavior. Identifying suspicious sign-ins allows for prompt incident response and prevents further unauthorized access.

Attack Chain

  1. Initial Compromise: An attacker compromises user credentials through phishing, malware, or credential stuffing attacks.
  2. Network Probing: The attacker uses the compromised credentials to attempt access to the target network, potentially triggering network security alerts due to unusual or malicious activity.
  3. Successful Authentication: Despite triggering network alerts, the attacker successfully authenticates to Microsoft 365 or Entra ID using the compromised credentials.
  4. Mail Access (Optional): Once authenticated, the attacker accesses the victim's email, potentially searching for sensitive information or using the account for further phishing attacks.
  5. Lateral Movement: The attacker attempts to move laterally within the M365 or Entra ID environment, potentially accessing other resources or user accounts.
  6. Privilege Escalation (Optional): The attacker attempts to escalate privileges within the environment to gain broader access and control.
  7. Data Exfiltration/Manipulation: The attacker exfiltrates sensitive data from the compromised environment or manipulates data to achieve their objectives.
  8. Persistence: The attacker establishes persistence mechanisms to maintain access to the environment, such as creating new user accounts or modifying existing configurations.

Impact

A successful attack can lead to unauthorized access to sensitive data, financial fraud, and reputational damage. Depending on the scope of access, attackers can gain access to confidential emails, documents, and other sensitive information stored within the Microsoft 365 or Entra ID environment. If attackers successfully maintain access, they can cause long-term damage and disruption to the organization's operations. The number of potential victims varies depending on the size and complexity of the targeted organization.

Recommendation

  • Deploy the provided Sigma rules to your SIEM to detect correlated suspicious network activity and M365/Entra ID logins, tuning the rules for your specific environment.
  • Investigate alerts generated by the Sigma rules, focusing on the source IP address and associated network alerts, as outlined in the Elastic rule's triage and analysis section.
  • Review and harden your organization's multi-factor authentication (MFA) policies to prevent successful logins from compromised accounts, referencing Microsoft's security best practices (https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices).
  • Implement network segmentation and access controls to limit the potential impact of compromised credentials, referencing the excluded IP ranges in the original rule's query to identify potentially internal or trusted networks.

Detection coverage 2

M365/Entra ID Login After Network Connection to Non-Standard Port

medium

Detects a M365/Entra ID login from a source IP address that recently connected to a non-standard port on an internal network, potentially indicating an external attacker.

sigma tactics: initial_access techniques: T1078 sources: network_connection, windows

M365/Entra ID Login After Connection to Known Malicious IP

high

Detects a M365/Entra ID login originating from a source IP that has recently connected to a known malicious IP address.

sigma tactics: command_and_control, initial_access techniques: T1078 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →