M365 Identity Login from Atypical Travel Location
This rule detects successful Microsoft 365 portal logins from rare locations, potentially indicating an adversary attempting to access an account from an unusual location or behind a VPN.
This detection rule, sourced from Elastic, identifies Microsoft 365 login events originating from locations not commonly associated with a user's account. The rule analyzes Microsoft 365 audit logs for successful logins and compares the login location against a baseline of known user locations. The detection logic is implemented via a new_terms aggregation that flags rare combinations of o365.audit.UserId and source.geo.country_iso_code. The rule is designed to detect initial access attempts by adversaries leveraging valid accounts, possibly masking their true location using VPNs or other anonymization tools. The rule focuses on successful logins and excludes common benign scenarios such as logins from Apple iOS, Android and PKeyAuth devices. This alert helps defenders identify potentially compromised accounts and unusual access patterns within their Microsoft 365 environment.
Attack Chain
- An attacker obtains valid credentials for a Microsoft 365 account through phishing, credential stuffing, or other means.
- The attacker uses the compromised credentials to attempt to log in to the Microsoft 365 portal.
- The login attempt originates from a geographic location that is not commonly associated with the user's account.
- The Microsoft 365 audit logs record a successful login event with event action
UserLoggedIn, providerAzureActiveDirectoryand outcomesuccess. - The
source.geo.country_iso_codeando365.audit.UserIdcombination is identified as rare based on historical data. - The detection rule triggers an alert, flagging the unusual login activity.
- The attacker gains access to the user's Microsoft 365 account and its associated resources (email, OneDrive, SharePoint, etc.)
- The attacker performs malicious actions such as data exfiltration, lateral movement, or business email compromise.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, business email compromise, and further malicious activities within the organization's Microsoft 365 environment. The potential impact includes data breaches, financial losses, and reputational damage. The number of affected users depends on the scope of the compromised account. The rule helps in detecting anomalies that might bypass traditional security measures like MFA if the attacker has already compromised the MFA device or bypassed it through other means.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune it to your environment, excluding expected VPN exit points or frequent travel locations (
o365.audit.UserId,source.geo.country_iso_code). - Investigate any alerts generated by the rule to determine the legitimacy of the login attempt. Review the user's recent activity and contact them to confirm whether they were traveling or using a VPN at the time of the login.
- Enforce multi-factor authentication (MFA) for all users to reduce the risk of account compromise.
- Monitor for any subsequent login attempts from the same location or IP address to identify potential patterns of malicious activity.
- Review and harden conditional access policies in Entra ID to restrict access based on location, device, and other factors.
- Enable and monitor Microsoft 365 audit logs to ensure that all login events are being captured.
Detection coverage 2
M365 Login from Atypical Country
mediumDetects successful Microsoft 365 logins from a country not commonly associated with the user.
M365 Login from Atypical Country (No Geo Data)
lowDetects successful Microsoft 365 logins when geo data is missing, indicating a potential VPN or proxy use.
Detection queries are available on the platform. Get full rules →