{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/identity-protection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","identity-protection","suspicious-browser"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u0026ldquo;suspiciousBrowser\u0026rdquo; risk event in Azure Identity Protection signals unusual sign-in patterns indicative of potential account compromise or other malicious activity. This alert is triggered when the same browser is used to access multiple tenants from different countries, which is an atypical behavior for legitimate users. This type of activity could be caused by malware, credential theft, or an attacker attempting to blend in with normal user behavior after gaining unauthorized access. This detection is important for defenders because it can highlight early stages of an attack, potentially preventing lateral movement, data exfiltration, or other damaging actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials through phishing, malware, or other means (T1566, T1190).\u003c/li\u003e\n\u003cli\u003eThe attacker configures a browser with the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the same browser to attempt sign-ins to multiple Azure tenants from different geographical locations, attempting to blend in with typical user activity.\u003c/li\u003e\n\u003cli\u003eAzure Identity Protection detects the \u0026ldquo;suspiciousBrowser\u0026rdquo; risk event based on the anomalous sign-in activity.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker may gain access to sensitive data and resources within the targeted tenants.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised accounts to escalate privileges and move laterally within the organization (T1078, T1068).\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploy ransomware (T1003, T1486).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting suspicious browser activity can lead to unauthorized access to multiple Azure tenants, potentially impacting numerous organizations. The compromise of user accounts can result in data breaches, financial losses, and reputational damage. The scope of the impact depends on the level of access granted to the compromised accounts and the sensitivity of the data stored within the targeted tenants.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u0026ldquo;suspiciousBrowser\u0026rdquo; risk events in your Azure environment and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate sessions flagged by this detection in the context of other sign-ins from the same user to identify false positives.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) to mitigate the impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eMonitor user sign-in activity for unusual patterns, such as sign-ins from multiple geographical locations within a short period.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-31-suspicious-azure-browser/","summary":"A suspicious browser activity alert indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser, potentially indicating compromised credentials or other malicious activity.","title":"Azure Identity Protection Suspicious Browser Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-31-suspicious-azure-browser/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","anonymous-proxy","identity-protection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on identifying malicious activity within Azure Active Directory environments where users are observed originating traffic from anonymous IP addresses. These IP addresses are typically associated with VPNs, Tor exit nodes, or proxy services, often used by threat actors to obfuscate their true location and evade detection. The activity is flagged within Azure AD Identity Protection as a \u0026lsquo;riskyIPAddress\u0026rsquo;. Detecting and investigating these events is crucial, as they often precede or accompany other malicious behaviors such as account compromise, privilege escalation, and data exfiltration. It allows defenders to proactively identify and respond to potential security incidents before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure AD user account through various means, such as credential theft, phishing, or brute-force attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an anonymous proxy service (e.g., VPN, Tor) to mask their true IP address and location.\u003c/li\u003e\n\u003cli\u003eThe compromised user account is used to sign in to Azure AD from the anonymous IP address.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the sign-in attempt as \u0026lsquo;riskyIPAddress\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges within the Azure AD environment, potentially targeting sensitive roles or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by creating new user accounts or modifying existing ones.\u003c/li\u003e\n\u003cli\u003eThe attacker may then try to access sensitive data or resources within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker exfiltrates sensitive data or launches further attacks against other systems within the organization\u0026rsquo;s network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging anonymous IP addresses can lead to significant damage, including unauthorized access to sensitive data, compromise of critical systems, and financial losses. The use of anonymous proxies makes attribution and incident response more difficult, potentially prolonging the duration of the attack. Organizations may experience data breaches, reputational damage, and regulatory fines as a result of such attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026lsquo;riskyIPAddress\u0026rsquo; events in Azure AD logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any sign-in events flagged as \u0026lsquo;riskyIPAddress\u0026rsquo; in the context of other sign-ins from the same user to identify potential account compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access from untrusted locations or devices.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for suspicious activity, such as changes to user accounts, group memberships, or application permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-azure-anonymous-ip/","summary":"Detection of user activity originating from an IP address identified as an anonymous proxy, potentially indicating unauthorized access, privilege escalation, or persistence within an Azure Active Directory environment.","title":"Azure AD Activity From Anonymous IP Address","url":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-anonymous-ip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory","Microsoft Entra ID Protection"],"_cs_severities":["high"],"_cs_tags":["azure","identity-protection","atypical-travel","account-compromise","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Atypical Travel detection in Azure Identity Protection is designed to identify instances where a user signs in from two geographically distant locations within a time frame that makes legitimate travel improbable. This anomaly indicates that an attacker may have compromised a user\u0026rsquo;s credentials and is attempting to access resources from a different location. The alert is triggered by the \u0026lsquo;unlikelyTravel\u0026rsquo; risk event type within Azure\u0026rsquo;s risk detection service. This capability helps defenders identify compromised accounts and prevent further damage such as data exfiltration or lateral movement within the environment. The detection is based on comparing current sign-in locations against the user\u0026rsquo;s historical sign-in patterns, making it more accurate and less prone to false positives compared to simple geo-location based alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains a user\u0026rsquo;s credentials through phishing, credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Location A):\u003c/strong\u003e The attacker uses the compromised credentials to sign in from a location that may be atypical for the user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Location A):\u003c/strong\u003e The attacker successfully authenticates and gains access to Azure resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised account has sufficient permissions, the attacker attempts to escalate privileges within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to move laterally to other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecond Sign-in (Location B):\u003c/strong\u003e Within a short timeframe, the attacker (or another attacker using the same credentials) signs in from a geographically distant location (Location B).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAtypical Travel Alert:\u003c/strong\u003e Azure Identity Protection detects the unlikely travel scenario based on the two geographically improbable sign-ins.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access/Data Exfiltration:\u003c/strong\u003e The attacker accesses sensitive resources or exfiltrates data from the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Atypical Travel attack can lead to unauthorized access to sensitive data, privilege escalation, lateral movement within the Azure environment, and potentially data exfiltration. The number of victims depends on the scope of the compromised user\u0026rsquo;s access and the attacker\u0026rsquo;s objectives. Organizations in all sectors are potentially at risk, as attackers often target user accounts with elevated privileges or access to critical data. The financial impact can include the cost of incident response, data breach notifications, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Atypical Travel events (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate flagged sessions in the context of other sign-ins from the user, as suggested by the false positives guidance.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location and other factors.\u003c/li\u003e\n\u003cli\u003eMonitor user accounts for unusual activity, such as changes in sign-in patterns or resource access.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent brute-force attacks against user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:21:00Z","date_published":"2024-01-02T18:21:00Z","id":"/briefs/2024-01-azure-atypical-travel/","summary":"The Atypical Travel detection in Azure Identity Protection identifies potentially compromised user accounts by detecting geographically improbable sign-in activity, indicative of account compromise or misuse.","title":"Azure Identity Protection Atypical Travel Anomaly","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-atypical-travel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","identity-protection","impossible-travel","account-compromise","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects \u0026ldquo;impossible travel\u0026rdquo; events within Azure Active Directory (Azure AD), a common indicator of account compromise. The scenario involves a user account exhibiting login activity from two geographically distant locations in a timeframe that makes physical travel between them impossible. This anomalous behavior often signifies that an attacker has gained unauthorized access to the account and is operating from a different location than the legitimate user. The rule leverages Azure AD Identity Protection\u0026rsquo;s risk detection capabilities to identify such instances. This detection is crucial for defenders as it highlights potential breaches and enables swift remediation actions to prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials, potentially through phishing (T1566), credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Azure AD from a geographic location different from the legitimate user\u0026rsquo;s typical location.\u003c/li\u003e\n\u003cli\u003eShortly after the initial authentication, the legitimate user authenticates to Azure AD from their usual location.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the activity as \u0026ldquo;impossible travel\u0026rdquo; due to the conflicting geographic locations and the short timeframe between the authentications.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;impossibleTravel\u0026rdquo; risk event is logged within Azure AD\u0026rsquo;s risk detection logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges within the compromised account (T1068) to gain broader access to resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may move laterally within the organization (T1021) to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s ultimate goal could be data exfiltration, financial theft, or disruption of services, depending on the organization\u0026rsquo;s profile.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful \u0026ldquo;impossible travel\u0026rdquo; attack can lead to a full compromise of the user\u0026rsquo;s account, granting the attacker access to sensitive data, internal systems, and other resources accessible to the user. Depending on the user\u0026rsquo;s role and permissions, the impact could range from data breaches to financial losses and significant reputational damage. Organizations in all sectors are vulnerable, with a higher risk for those handling sensitive data or operating critical infrastructure. The number of affected users depends on the attacker\u0026rsquo;s ability to move laterally and escalate privileges after compromising the initial account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;impossible travel\u0026rdquo; events flagged by Azure AD Identity Protection, focusing on the \u003ccode\u003eriskEventType: 'impossibleTravel'\u003c/code\u003e (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the user account involved and the geographic locations of the login attempts (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eReview and enhance user training programs to educate employees on the risks of phishing and credential compromise (T1566).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of unauthorized access even if credentials are compromised (T1110).\u003c/li\u003e\n\u003cli\u003eReview and adjust the sensitivity of Azure AD Identity Protection\u0026rsquo;s risk detection policies to align with your organization\u0026rsquo;s risk tolerance.\u003c/li\u003e\n\u003cli\u003eConsider implementing conditional access policies that restrict access based on geographic location or require MFA for logins from unfamiliar locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-impossible-travel/","summary":"This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.","title":"Impossible Travel Detection in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-impossible-travel/"}],"language":"en","title":"CraftedSignal Threat Feed — Identity-Protection","version":"https://jsonfeed.org/version/1.1"}