{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-compromise/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","authentication","geo-location","unauthorized-access","credential-compromise","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief addresses the risk of unauthorized access to Azure Active Directory (Azure AD) resources stemming from successful authentication events originating from unexpected geographic locations. While the source material does not attribute this activity to a specific threat actor, such access can be indicative of compromised user accounts, sophisticated phishing attacks, or insider threats. The focus is on detecting deviations from established operational norms, where user logins typically originate from known and trusted countries. By monitoring sign-in logs, security teams can identify potentially malicious activity that bypasses standard security controls and warrants further investigation. Effective detection relies on maintaining an accurate list of countries where the organization operates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains valid user credentials through phishing, malware, or credential stuffing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker leverages the compromised credentials to attempt authentication to Azure AD.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Request:\u003c/strong\u003e The attacker initiates a sign-in request to Azure AD from an IP address associated with an unexpected geographic location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass MFA (if present):\u003c/strong\u003e If multi-factor authentication (MFA) is enabled, the attacker may attempt to bypass it through techniques like MFA fatigue or SIM swapping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication:\u003c/strong\u003e The attacker successfully authenticates to Azure AD, gaining access to cloud resources and applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges within the Azure AD environment to gain broader access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the cloud environment, accessing sensitive data and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Persistence:\u003c/strong\u003e The attacker exfiltrates sensitive data or establishes persistent access for future malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data breaches, financial loss, and reputational damage. The extent of the impact depends on the level of access gained by the attacker and the sensitivity of the compromised data. Organizations may face regulatory fines, legal action, and loss of customer trust. The absence of geographic restrictions on authentication increases the attack surface and elevates the risk of unauthorized access from malicious actors operating outside of the organization\u0026rsquo;s control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect successful authentications from countries outside of the organization\u0026rsquo;s operational footprint, based on the \u003ccode\u003eLocation\u003c/code\u003e field in Azure AD sign-in logs.\u003c/li\u003e\n\u003cli\u003eMaintain and regularly update a whitelist of countries where the organization operates to ensure the accuracy of the \u003ccode\u003efilter\u003c/code\u003e in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the sign-in event and the potential compromise of the user account.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise, although attackers may attempt to bypass MFA.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T18:22:00Z","date_published":"2024-01-29T18:22:00Z","id":"/briefs/2024-01-azure-auth-bypass/","summary":"Detection of successful authentications originating from geographic locations outside of an organization's expected operational footprint, potentially indicating compromised credentials or unauthorized access.","title":"Azure AD Authentication from Unexpected Geo-locations","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Compromise","version":"https://jsonfeed.org/version/1.1"}