<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Compromised-Account - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/compromised-account/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 17:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/compromised-account/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure AD Account Concurrent Sessions from Different IPs</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-concurrent-sessions/</link><pubDate>Wed, 03 Jan 2024 17:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-concurrent-sessions/</guid><description>Detection of Azure AD accounts with concurrent sessions originating from multiple unique IP addresses within a 5-minute window, potentially indicating session hijacking and unauthorized access.</description><content:encoded><![CDATA[<p>This analytic identifies Azure AD accounts exhibiting concurrent sessions originating from multiple unique IP addresses within a short timeframe. The detection leverages Azure Active Directory NonInteractiveUserSignInLogs to analyze successful authentication events and count distinct source IPs within a 5-minute window. The activity is flagged as suspicious due to the potential for session hijacking, where an attacker uses stolen session cookies (possibly obtained via phishing kits like Evilginx2) to access corporate resources from geographically diverse locations. Successful session hijacking could lead to unauthorized access to sensitive information and potential data breaches. This detection is relevant for organizations using Azure AD for authentication and authorization. The original Splunk query was published on 2026-04-17.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker compromises user credentials or obtains session cookies via phishing or other methods (e.g., Evilginx2).</li>
<li>Attacker initiates a session from a new IP address, potentially outside the user's typical geographic location.</li>
<li>The user also has a legitimate session active from their usual location.</li>
<li>Azure AD records successful authentication events from both the attacker's IP and the user's legitimate IP.</li>
<li>The analytic detects the concurrent sessions from different IP addresses for the same user within a 5-minute window.</li>
<li>The attacker leverages the hijacked session to access corporate resources, such as email, cloud storage, or internal applications.</li>
<li>Attacker performs unauthorized actions, potentially including data exfiltration, privilege escalation, or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, including customer information, financial records, and intellectual property. The number of affected users depends on the scale of the initial compromise. Organizations in all sectors are potentially vulnerable. A successful attack may result in financial losses, reputational damage, and regulatory fines due to data breaches.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure AD Concurrent Sessions From Different IPs</code> to your SIEM and tune the threshold (unique_ips &gt; 1) to fit your environment.</li>
<li>Investigate alerts generated by the <code>Azure AD Concurrent Sessions From Different IPs</code> rule, focusing on users with high-value accounts or access to sensitive data.</li>
<li>Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise.</li>
<li>Review Azure AD sign-in logs for suspicious activity, such as logins from unfamiliar locations or devices.</li>
<li>Monitor network traffic for connections to known phishing domains or command-and-control servers, referencing external threat intelligence feeds.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>azuread</category><category>compromised-account</category></item><item><title>Azure AD Account Authentication from Multiple IPs</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-ad-multi-ip-auth/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-ad-multi-ip-auth/</guid><description>An Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window, detected using Azure AD SignInLogs, which may indicate compromised credentials and unauthorized access to corporate resources.</description><content:encoded><![CDATA[<p>This analytic identifies suspicious Azure Active Directory (AD) account activity characterized by successful authentications originating from multiple distinct IP addresses within a short time frame (30 minutes). This behavior is detected by analyzing Azure AD SignInLogs. This activity can indicate that an attacker has gained unauthorized access to an account, potentially through credential compromise following a phishing campaign or other means. Successful exploitation can lead to unauthorized access to sensitive data, internal systems, and further malicious activities within the Azure AD environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to valid Azure AD credentials through phishing, credential stuffing, or other means (T1110, T1566).</li>
<li>The attacker attempts to authenticate to Azure AD using the compromised credentials.</li>
<li>The legitimate user may also authenticate normally from their usual location.</li>
<li>The attacker successfully authenticates from a different IP address than the legitimate user.</li>
<li>Azure AD SignInLogs record successful authentication events, including the source IP address (src), user, and other relevant details.</li>
<li>A security monitoring system detects multiple successful authentications from different IP addresses for the same user within a 30-minute window.</li>
<li>The attacker leverages the compromised account to access cloud resources, applications, and data within the Azure environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of compromised Azure AD accounts can lead to significant damage. This includes unauthorized access to sensitive data stored within cloud applications, potential data breaches, and the ability for attackers to move laterally within the Azure environment. Affected organizations may experience financial losses, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure AD Successful Authentication From Different IPs</code> to your SIEM and tune the threshold for <code>unique_ips</code> based on your environment to reduce false positives.</li>
<li>Investigate any alerts generated by the Sigma rule to determine if the user account has been compromised.</li>
<li>Implement multi-factor authentication (MFA) to mitigate the risk of credential compromise.</li>
<li>Monitor Azure AD SignInLogs for unusual authentication patterns, such as logins from unfamiliar locations or devices.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>credential-access</category><category>compromised-account</category></item></channel></rss>