Azure AD Sign-in from New Country/Region

This threat brief focuses on detecting suspicious sign-in activity within Azure Active Directory (Azure AD). Specifically, it targets sign-ins originating from countries or regions that are new or unusual for a given user. This behavior can be indicative of compromised credentials, travel without notification, or the use of VPN/proxy services to mask the true origin of the sign-in. Microsoft Entra ID Protection identifies “new country” as a risk event when a user signs in from a location that is drastically different from their recent sign-in history. Detecting these anomalies is crucial for preventing unauthorized access and mitigating potential data breaches. The detection uses Azure AD’s risk detection logs to identify such events.

Attack Chain

1. Initial Access: An attacker gains access to a valid user’s credentials, potentially through phishing, credential stuffing, or malware. (T1078)
2. Anomalous Login: The attacker attempts to sign in to Azure AD using the compromised credentials from a country or region not typically associated with the user.
3. Risk Detection Trigger: Azure AD Identity Protection identifies the sign-in as high-risk due to the new country/region and logs a “newCountry” risk event.
4. Persistence: The attacker may establish persistent access by creating new accounts or modifying existing ones.
5. Privilege Escalation: If the compromised account has elevated privileges, the attacker may attempt to escalate their privileges within the Azure environment.
6. Lateral Movement: The attacker may use the compromised account to move laterally within the organization, accessing other resources and data.
7. Data Exfiltration: The attacker accesses sensitive data and attempts to exfiltrate it from the environment.
8. Impact: The attacker achieves their objectives, which could include data theft, financial fraud, or disruption of services.

Impact

A successful attack following a sign-in from a new country can result in unauthorized access to sensitive data, compromised user accounts, and potential data breaches. Organizations may experience financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the privileges of the compromised account and the attacker’s objectives. Immediate containment is crucial to prevent further damage if a new country sign-in is verified as malicious.

Recommendation

• Deploy the provided Sigma rule to your SIEM or security analytics platform to detect “newCountry” risk events in Azure AD (logsource: azure, service: riskdetection).
• Investigate any alerts generated by the Sigma rule in the context of other sign-in activities for the affected user to rule out false positives.
• Implement multi-factor authentication (MFA) for all users to mitigate the risk of account compromise (T1078).
• Monitor user activity logs for other suspicious behaviors, such as unusual access patterns or attempts to escalate privileges.
• Review and enforce conditional access policies to restrict access based on location, device, and other factors.
• Educate users about phishing and other social engineering tactics to prevent credential theft.