M365 Identity Login from Atypical Region

This detection rule identifies successful Microsoft 365 portal logins from a country and region that a user has not previously authenticated from within a specific time window. This behavior can be indicative of an adversary attempting to access the account from an unusual location, potentially using a VPN to mask their origin. The rule analyzes login events and user location patterns at the country and region level to identify these atypical login attempts. The rule focuses on successful logins, attempting to filter out common false positives such as mobile devices, specific Microsoft application IDs, and certain request types to reduce noise. The time window for atypical behavior is set to 7 days.

Attack Chain

1. An attacker obtains valid credentials for a Microsoft 365 user account.
2. The attacker initiates a login attempt to the Microsoft 365 portal.
3. The login attempt originates from a country and region that is not in the user’s historical login location data.
4. The login attempt is successful, bypassing any multi-factor authentication (MFA) or other security controls (not explicitly covered in this rule, but a common scenario).
5. The attacker gains access to the user’s Microsoft 365 account.
6. The attacker may then proceed to access sensitive data, such as emails, files, or SharePoint sites.
7. The attacker might escalate privileges or move laterally within the Microsoft 365 environment if the compromised account has sufficient permissions.
8. The attacker could establish persistence by creating new accounts or modifying existing ones.

Impact

A successful attack can lead to unauthorized access to sensitive data, intellectual property theft, financial fraud, and reputational damage. Depending on the compromised user’s role and access levels, the impact can range from minor data leakage to a full-scale breach of the organization’s Microsoft 365 environment. This can affect organizations of any size and across any sector that relies on Microsoft 365 for its operations.

Recommendation

• Deploy the Sigma rule M365 Identity Login from Atypical Region to your SIEM and tune the history_window_start parameter for your environment.
• Investigate any alerts generated by the Sigma rule by reviewing the user’s recent login activity, geographic locations, ISP information, and client application used as described in the rule’s note.
• Implement multi-factor authentication (MFA) for all users, especially for those with privileged access, to mitigate the risk of unauthorized login attempts from atypical locations.
• Consider adding exceptions to the Sigma rule for specific users or source application IDs if the login attempts are determined to be legitimate and not a security concern, as mentioned in the rule’s note.
• Enable Microsoft 365 audit logging to ensure the required data is available for the Sigma rule to function correctly.