Azure AD Sign-In with Unfamiliar Properties

This detection identifies Azure Active Directory sign-ins that exhibit properties unfamiliar to the user, such as new locations, devices, or browsers. This activity can indicate account compromise, lateral movement, or other malicious behavior. The detection leverages Azure Identity Protection’s risk detection capabilities, specifically the ‘unfamiliarFeatures’ event. While a user legitimately changing devices or locations can trigger this, repeated or high-risk instances should be investigated. The alert is generated by Azure’s risk detection service, which analyzes sign-in patterns and flags anomalous events based on historical data.

Attack Chain

1. An attacker gains initial access to a user’s credentials through phishing, credential stuffing, or other means (T1566, T1110).
2. The attacker attempts to sign in to Azure AD using the compromised credentials (T1078).
3. The sign-in originates from a location, device, or network that is not typical for the user (T1078).
4. Azure Identity Protection detects the unfamiliar sign-in properties and generates a ‘unfamiliarFeatures’ risk event.
5. The security operations team receives an alert based on the Sigma rule, indicating a potentially compromised account.
6. The attacker may attempt to access sensitive resources or data within the Azure environment (T1078).
7. The attacker could attempt to escalate privileges within the environment to gain broader access (T1068).
8. The attacker may establish persistence within the environment to maintain access even if the initial compromise is detected (T1098).

Impact

A successful attack can lead to unauthorized access to sensitive data, privilege escalation, and persistent access to the Azure environment. This can result in data breaches, financial loss, and reputational damage. The number of affected users and the severity of the impact will depend on the scope of the attacker’s access and the sensitivity of the data they are able to access.

Recommendation

• Deploy the Sigma rule “Unfamiliar Sign-In Properties” to your SIEM and tune for your environment to detect potentially compromised accounts.
• Investigate any triggered alerts for the “Unfamiliar Sign-In Properties” Sigma rule by reviewing the user’s sign-in history and recent activity logs.
• Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise (T1110).
• Educate users about phishing and other social engineering tactics to prevent credential theft (T1566).
• Review and enforce conditional access policies to restrict access based on location, device, and other factors.