Azure Active Directory — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/azure-active-directory/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 Nov 2024 12:00:00 +0000Microsoft 365 Identity Login from Impossible Travel Locationhttps://feed.craftedsignal.io/briefs/2024-11-m365-impossible-travel/Fri, 15 Nov 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-m365-impossible-travel/Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short time frame, potentially indicating account compromise or unauthorized access.This detection rule identifies Microsoft 365 login anomalies indicative of “impossible travel,” where a user account logs in from geographically disparate locations within a short timeframe. This behavior often signifies account compromise, with threat actors leveraging stolen credentials to access cloud resources from different countries. The rule focuses on successful Azure Active Directory logins and excludes specific application IDs and request types known to generate false positives. The premise is that legitimate user travel between distant countries is highly improbable within a brief time window. This detection is crucial for defenders to identify and respond to potential account takeovers promptly.

Attack Chain

  1. The attacker obtains valid credentials for a Microsoft 365 account, possibly through phishing, credential stuffing, or purchasing them on the dark web.
  2. The attacker initiates a login to the Microsoft 365 portal from a location different from the legitimate user’s typical location.
  3. The user logs in successfully, generating an Azure Active Directory audit event with the “UserLoggedIn” action.
  4. Within a short timeframe (e.g., 15 minutes), the attacker initiates another login from a different country.
  5. The second login is also successful, generating another Azure Active Directory audit event with the “UserLoggedIn” action from a different geographical location.
  6. The detection rule identifies the two login events originating from two different countries for the same user within the configured timeframe.
  7. The attacker gains access to the compromised account and can access sensitive data, send phishing emails, or perform other malicious actions.

Impact

A successful attack can lead to unauthorized access to sensitive data within Microsoft 365, potentially resulting in data breaches, financial loss, and reputational damage. The number of affected users and the scale of the impact depends on the level of access granted to the compromised account. This attack targets any organization using Microsoft 365 for email, file storage, and other services.

Recommendation

  • Deploy the Sigma rule “M365 Identity Login from Impossible Travel Location” to your SIEM to detect suspicious login activity.
  • Tune the timeframe in the Sigma rule to match your organization’s risk tolerance and user travel patterns.
  • Investigate any alerts generated by the Sigma rule by reviewing the user’s login history, geographic locations, and other relevant factors as noted in the rule’s documentation.
  • Consider implementing multi-factor authentication (MFA) for all users to mitigate the risk of account compromise, referenced in the provided documentation.
  • Regularly review and update the list of excluded Application IDs in the Sigma rule to prevent false positives, based on your specific environment.
]]>mediumadvisorycloudidentitymicrosoft 365azure active directoryinitial access