{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/compromised-account/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","azuread","compromised-account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic identifies Azure AD accounts exhibiting concurrent sessions originating from multiple unique IP addresses within a short timeframe. The detection leverages Azure Active Directory NonInteractiveUserSignInLogs to analyze successful authentication events and count distinct source IPs within a 5-minute window. The activity is flagged as suspicious due to the potential for session hijacking, where an attacker uses stolen session cookies (possibly obtained via phishing kits like Evilginx2) to access corporate resources from geographically diverse locations. Successful session hijacking could lead to unauthorized access to sensitive information and potential data breaches. This detection is relevant for organizations using Azure AD for authentication and authorization. The original Splunk query was published on 2026-04-17.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises user credentials or obtains session cookies via phishing or other methods (e.g., Evilginx2).\u003c/li\u003e\n\u003cli\u003eAttacker initiates a session from a new IP address, potentially outside the user's typical geographic location.\u003c/li\u003e\n\u003cli\u003eThe user also has a legitimate session active from their usual location.\u003c/li\u003e\n\u003cli\u003eAzure AD records successful authentication events from both the attacker's IP and the user's legitimate IP.\u003c/li\u003e\n\u003cli\u003eThe analytic detects the concurrent sessions from different IP addresses for the same user within a 5-minute window.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked session to access corporate resources, such as email, cloud storage, or internal applications.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions, potentially including data exfiltration, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, including customer information, financial records, and intellectual property. The number of affected users depends on the scale of the initial compromise. Organizations in all sectors are potentially vulnerable. A successful attack may result in financial losses, reputational damage, and regulatory fines due to data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure AD Concurrent Sessions From Different IPs\u003c/code\u003e to your SIEM and tune the threshold (unique_ips \u0026gt; 1) to fit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u003ccode\u003eAzure AD Concurrent Sessions From Different IPs\u003c/code\u003e rule, focusing on users with high-value accounts or access to sensitive data.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview Azure AD sign-in logs for suspicious activity, such as logins from unfamiliar locations or devices.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known phishing domains or command-and-control servers, referencing external threat intelligence feeds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:30:00Z","date_published":"2024-01-03T17:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-concurrent-sessions/","summary":"Detection of Azure AD accounts with concurrent sessions originating from multiple unique IP addresses within a 5-minute window, potentially indicating session hijacking and unauthorized access.","title":"Azure AD Account Concurrent Sessions from Different IPs","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-concurrent-sessions/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","credential-access","compromised-account"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic identifies suspicious Azure Active Directory (AD) account activity characterized by successful authentications originating from multiple distinct IP addresses within a short time frame (30 minutes). This behavior is detected by analyzing Azure AD SignInLogs. This activity can indicate that an attacker has gained unauthorized access to an account, potentially through credential compromise following a phishing campaign or other means. Successful exploitation can lead to unauthorized access to sensitive data, internal systems, and further malicious activities within the Azure AD environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to valid Azure AD credentials through phishing, credential stuffing, or other means (T1110, T1566).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to Azure AD using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe legitimate user may also authenticate normally from their usual location.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates from a different IP address than the legitimate user.\u003c/li\u003e\n\u003cli\u003eAzure AD SignInLogs record successful authentication events, including the source IP address (src), user, and other relevant details.\u003c/li\u003e\n\u003cli\u003eA security monitoring system detects multiple successful authentications from different IP addresses for the same user within a 30-minute window.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to access cloud resources, applications, and data within the Azure environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of compromised Azure AD accounts can lead to significant damage. This includes unauthorized access to sensitive data stored within cloud applications, potential data breaches, and the ability for attackers to move laterally within the Azure environment. Affected organizations may experience financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure AD Successful Authentication From Different IPs\u003c/code\u003e to your SIEM and tune the threshold for \u003ccode\u003eunique_ips\u003c/code\u003e based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the user account has been compromised.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD SignInLogs for unusual authentication patterns, such as logins from unfamiliar locations or devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-multi-ip-auth/","summary":"An Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window, detected using Azure AD SignInLogs, which may indicate compromised credentials and unauthorized access to corporate resources.","title":"Azure AD Account Authentication from Multiple IPs","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-multi-ip-auth/"}],"language":"en","title":"CraftedSignal Threat Feed - Compromised-Account","version":"https://jsonfeed.org/version/1.1"}