Skip to content
Threat Feed
high advisory

Azure Identity Protection Suspicious Browser Activity

A suspicious browser activity alert indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser, potentially indicating compromised credentials or other malicious activity.

The “suspiciousBrowser” risk event in Azure Identity Protection signals unusual sign-in patterns indicative of potential account compromise or other malicious activity. This alert is triggered when the same browser is used to access multiple tenants from different countries, which is an atypical behavior for legitimate users. This type of activity could be caused by malware, credential theft, or an attacker attempting to blend in with normal user behavior after gaining unauthorized access. This detection is important for defenders because it can highlight early stages of an attack, potentially preventing lateral movement, data exfiltration, or other damaging actions.

Attack Chain

  1. An attacker gains initial access to a user’s credentials through phishing, malware, or other means (T1566, T1190).
  2. The attacker configures a browser with the stolen credentials.
  3. The attacker uses the same browser to attempt sign-ins to multiple Azure tenants from different geographical locations, attempting to blend in with typical user activity.
  4. Azure Identity Protection detects the “suspiciousBrowser” risk event based on the anomalous sign-in activity.
  5. If successful, the attacker may gain access to sensitive data and resources within the targeted tenants.
  6. The attacker leverages the compromised accounts to escalate privileges and move laterally within the organization (T1078, T1068).
  7. The attacker exfiltrates sensitive data or deploy ransomware (T1003, T1486).

Impact

A successful attack exploiting suspicious browser activity can lead to unauthorized access to multiple Azure tenants, potentially impacting numerous organizations. The compromise of user accounts can result in data breaches, financial losses, and reputational damage. The scope of the impact depends on the level of access granted to the compromised accounts and the sensitivity of the data stored within the targeted tenants.

Recommendation

  • Deploy the provided Sigma rule to detect “suspiciousBrowser” risk events in your Azure environment and tune for your environment.
  • Investigate sessions flagged by this detection in the context of other sign-ins from the same user to identify false positives.
  • Enforce multi-factor authentication (MFA) to mitigate the impact of compromised credentials.
  • Monitor user sign-in activity for unusual patterns, such as sign-ins from multiple geographical locations within a short period.

Detection coverage 2

Azure AD Identity Protection Suspicious Browser Activity

high

Detects suspicious browser activity based on Azure AD Identity Protection alerts.

sigma tactics: initial-access, persistence, privilege-escalation, stealth techniques: T1078 sources: azure, riskdetection

Azure AD Risky Sign-in Detected

medium

Detects risky sign-in activity based on Azure AD Identity Protection alerts.

sigma tactics: initial-access techniques: T1078 sources: azure, riskdetection

Detection queries are kept inside the platform. Get full rules →