M365 or Entra ID Identity Sign-in from a Suspicious Source

This detection rule identifies instances where successful sign-in events in Microsoft 365 (M365) or Entra ID are associated with suspicious network activity. The rule correlates sign-in logs with network security alerts based on the source IP address. Attackers might trigger network security alerts, such as those related to IP reputation or anomalous behavior, before attempting to access cloud resources. This approach allows defenders to detect potentially compromised accounts based on anomalous network behavior preceding cloud access. The rule is designed to detect initial access attempts and requires Azure Fleet, Office 365 Logs Fleet integration, Filebeat module, or similarly structured data.

Attack Chain

1. An attacker compromises a user’s credentials through methods like phishing or credential stuffing.
2. The attacker attempts to access network resources from a suspicious IP address.
3. This activity triggers a network security alert based on reputation or other anomalies.
4. The attacker successfully authenticates to Entra ID or Microsoft 365 from the same suspicious IP address.
5. The rule correlates the successful sign-in event with the network security alert, flagging the activity.
6. The attacker accesses mail items within Microsoft 365.
7. The attacker moves laterally within the cloud environment, accessing other resources.
8. The attacker achieves their objective, such as data exfiltration or persistence.

Impact

A successful attack could lead to unauthorized access to sensitive data, compromised accounts, and lateral movement within the cloud environment. The scope of the impact depends on the permissions and roles associated with the compromised account. This can lead to data breaches, financial loss, and reputational damage. Identifying these incidents early can significantly reduce the potential damage and contain the breach.

Recommendation

• Deploy the Sigma rule Entra ID or Microsoft 365 Sign-in with Network Alert to your SIEM to detect correlated sign-in and network alert events.
• Investigate alerts generated by the Entra ID or Microsoft 365 Sign-in with Network Alert rule by reviewing associated network alerts and sign-in logs.
• Enable and review Azure and Microsoft 365 audit logs to provide the necessary data for the Sigma rule.
• Ensure network security alerts are configured to detect suspicious activity such as unusual source IPs as referenced by the logic in the provided ESQL query.
• Implement multi-factor authentication to mitigate credential compromise, as referenced in the Microsoft best practices link.
• Use the Microsoft recommended best practices for user account monitoring and protection.