Entra ID User Reported Suspicious Activity
This rule detects suspicious activity reported by users in Microsoft Entra ID, indicating potential account compromise or unauthorized access attempts via social engineering during authentication.
This detection identifies suspicious activity reported by users in Microsoft Entra ID. The rule focuses on events where users have flagged activity related to their accounts as suspicious, potentially signaling a compromise or unauthorized access attempts. These reports often arise during the authentication process, particularly with methods like Microsoft Authenticator. Attackers might use social engineering or other techniques to exploit user accounts, aiming to gain unauthorized access to sensitive resources. This activity is logged within Azure Audit Logs when a user reports suspicious authentication activity. Defenders should investigate these alerts promptly to determine if an account has been compromised.
Attack Chain
- Initial Access: The attacker gains initial access through techniques like phishing or password spraying targeting valid user accounts in Entra ID (T1078, T1566).
- MFA Request Generation: The attacker triggers MFA requests, possibly leading to MFA fatigue (T1621).
- User Reports Suspicious Activity: The legitimate user receives unexpected MFA prompts and reports the activity as suspicious via the "Suspicious activity reported" feature in Microsoft Entra ID.
- Audit Log Generation: Azure Audit Logs record the user's report, including details about the authentication method used during the suspicious attempt (e.g., PhoneAppNotification).
- Identity Verification: An attacker may attempt to bypass MFA using stolen credentials or social engineering, prompting unexpected authentication requests for the legitimate user.
- Persistence (Potential): If successful in bypassing MFA, the attacker establishes persistent access to the compromised account.
- Privilege Escalation (Potential): The attacker might attempt to escalate privileges within the Entra ID environment after gaining initial access.
- Data Exfiltration/Lateral Movement (Potential): The attacker moves laterally within the cloud environment or exfiltrates sensitive data if access is gained to a valid account.
Impact
A successful attack could lead to unauthorized access to sensitive data, financial loss, reputational damage, and disruption of services. While the rule itself flags user-reported suspicious activity, the underlying compromise could affect multiple users and services within the Entra ID environment. The scope of the impact depends on the permissions and access levels of the compromised user account.
Recommendation
- Deploy the Sigma rule to your SIEM and tune for your environment to detect Entra ID user-reported suspicious activity.
- Investigate the
azure.auditlogs.identityandazure.auditlogs.properties.initiated_by.user.userPrincipalNamefields in the logs generated by this alert to identify the reporting user and correlate with sign-in activity. - Review recent sign-in logs for the affected user, focusing on IP address geolocation, device information, and MFA prompt patterns as described in the rule's triage notes.
- Implement conditional access policies requiring number matching or stronger MFA mechanisms to mitigate MFA fatigue and phishing attacks as suggested in the rule's documentation.
- Educate users on reporting suspicious MFA prompts and following up with IT/security teams promptly to improve overall security awareness.
- Based on the initial access vector (likely phishing or credential stuffing), implement protections against credential compromise as covered by ATT&CK T1078 and T1566.
Detection coverage 2
Entra ID User Reported Suspicious Activity
mediumDetects when a user in Microsoft Entra ID reports suspicious activity associated with their account, which may indicate potential compromise or unauthorized access attempts.
Entra ID MFA Fraud Alert - Suspicious Activity Reported with Specific Authentication Method
highDetects suspicious activity reported in Entra ID where the authentication method involves phone app notification, potentially indicating MFA fatigue or phishing.
Detection queries are available on the platform. Get full rules →