{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/atypical-travel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory","Microsoft Entra ID Protection"],"_cs_severities":["high"],"_cs_tags":["azure","identity-protection","atypical-travel","account-compromise","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Atypical Travel detection in Azure Identity Protection is designed to identify instances where a user signs in from two geographically distant locations within a time frame that makes legitimate travel improbable. This anomaly indicates that an attacker may have compromised a user\u0026rsquo;s credentials and is attempting to access resources from a different location. The alert is triggered by the \u0026lsquo;unlikelyTravel\u0026rsquo; risk event type within Azure\u0026rsquo;s risk detection service. This capability helps defenders identify compromised accounts and prevent further damage such as data exfiltration or lateral movement within the environment. The detection is based on comparing current sign-in locations against the user\u0026rsquo;s historical sign-in patterns, making it more accurate and less prone to false positives compared to simple geo-location based alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains a user\u0026rsquo;s credentials through phishing, credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Location A):\u003c/strong\u003e The attacker uses the compromised credentials to sign in from a location that may be atypical for the user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Location A):\u003c/strong\u003e The attacker successfully authenticates and gains access to Azure resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised account has sufficient permissions, the attacker attempts to escalate privileges within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to move laterally to other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecond Sign-in (Location B):\u003c/strong\u003e Within a short timeframe, the attacker (or another attacker using the same credentials) signs in from a geographically distant location (Location B).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAtypical Travel Alert:\u003c/strong\u003e Azure Identity Protection detects the unlikely travel scenario based on the two geographically improbable sign-ins.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access/Data Exfiltration:\u003c/strong\u003e The attacker accesses sensitive resources or exfiltrates data from the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Atypical Travel attack can lead to unauthorized access to sensitive data, privilege escalation, lateral movement within the Azure environment, and potentially data exfiltration. The number of victims depends on the scope of the compromised user\u0026rsquo;s access and the attacker\u0026rsquo;s objectives. Organizations in all sectors are potentially at risk, as attackers often target user accounts with elevated privileges or access to critical data. The financial impact can include the cost of incident response, data breach notifications, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Atypical Travel events (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate flagged sessions in the context of other sign-ins from the user, as suggested by the false positives guidance.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location and other factors.\u003c/li\u003e\n\u003cli\u003eMonitor user accounts for unusual activity, such as changes in sign-in patterns or resource access.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent brute-force attacks against user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:21:00Z","date_published":"2024-01-02T18:21:00Z","id":"/briefs/2024-01-azure-atypical-travel/","summary":"The Atypical Travel detection in Azure Identity Protection identifies potentially compromised user accounts by detecting geographically improbable sign-in activity, indicative of account compromise or misuse.","title":"Azure Identity Protection Atypical Travel Anomaly","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-atypical-travel/"}],"language":"en","title":"CraftedSignal Threat Feed — Atypical-Travel","version":"https://jsonfeed.org/version/1.1"}