Azure AD Account Authentication from Multiple IPs
An Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window, detected using Azure AD SignInLogs, which may indicate compromised credentials and unauthorized access to corporate resources.
This analytic identifies suspicious Azure Active Directory (AD) account activity characterized by successful authentications originating from multiple distinct IP addresses within a short time frame (30 minutes). This behavior is detected by analyzing Azure AD SignInLogs. This activity can indicate that an attacker has gained unauthorized access to an account, potentially through credential compromise following a phishing campaign or other means. Successful exploitation can lead to unauthorized access to sensitive data, internal systems, and further malicious activities within the Azure AD environment.
Attack Chain
- An attacker gains access to valid Azure AD credentials through phishing, credential stuffing, or other means (T1110, T1566).
- The attacker attempts to authenticate to Azure AD using the compromised credentials.
- The legitimate user may also authenticate normally from their usual location.
- The attacker successfully authenticates from a different IP address than the legitimate user.
- Azure AD SignInLogs record successful authentication events, including the source IP address (src), user, and other relevant details.
- A security monitoring system detects multiple successful authentications from different IP addresses for the same user within a 30-minute window.
- The attacker leverages the compromised account to access cloud resources, applications, and data within the Azure environment.
Impact
Successful exploitation of compromised Azure AD accounts can lead to significant damage. This includes unauthorized access to sensitive data stored within cloud applications, potential data breaches, and the ability for attackers to move laterally within the Azure environment. Affected organizations may experience financial losses, reputational damage, and legal liabilities.
Recommendation
- Deploy the Sigma rule
Azure AD Successful Authentication From Different IPsto your SIEM and tune the threshold forunique_ipsbased on your environment to reduce false positives. - Investigate any alerts generated by the Sigma rule to determine if the user account has been compromised.
- Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise.
- Monitor Azure AD SignInLogs for unusual authentication patterns, such as logins from unfamiliar locations or devices.
Detection coverage 1
Azure AD Authentication with Uncommon Client Application
mediumDetects Azure AD authentication events using uncommon or suspicious client applications, potentially indicating unauthorized access.
Detection queries are available on the platform. Get full rules →