{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/identity_protection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azure","identity_protection","sign-in","account_compromise","risk_detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies Azure Active Directory sign-ins that exhibit properties unfamiliar to the user, such as new locations, devices, or browsers. This activity can indicate account compromise, lateral movement, or other malicious behavior. The detection leverages Azure Identity Protection\u0026rsquo;s risk detection capabilities, specifically the \u0026lsquo;unfamiliarFeatures\u0026rsquo; event. While a user legitimately changing devices or locations can trigger this, repeated or high-risk instances should be investigated. The alert is generated by Azure\u0026rsquo;s risk detection service, which analyzes sign-in patterns and flags anomalous events based on historical data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials through phishing, credential stuffing, or other means (T1566, T1110).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to sign in to Azure AD using the compromised credentials (T1078).\u003c/li\u003e\n\u003cli\u003eThe sign-in originates from a location, device, or network that is not typical for the user (T1078).\u003c/li\u003e\n\u003cli\u003eAzure Identity Protection detects the unfamiliar sign-in properties and generates a \u0026lsquo;unfamiliarFeatures\u0026rsquo; risk event.\u003c/li\u003e\n\u003cli\u003eThe security operations team receives an alert based on the Sigma rule, indicating a potentially compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to access sensitive resources or data within the Azure environment (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker could attempt to escalate privileges within the environment to gain broader access (T1068).\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence within the environment to maintain access even if the initial compromise is detected (T1098).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, privilege escalation, and persistent access to the Azure environment. This can result in data breaches, financial loss, and reputational damage. The number of affected users and the severity of the impact will depend on the scope of the attacker\u0026rsquo;s access and the sensitivity of the data they are able to access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unfamiliar Sign-In Properties\u0026rdquo; to your SIEM and tune for your environment to detect potentially compromised accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts for the \u0026ldquo;Unfamiliar Sign-In Properties\u0026rdquo; Sigma rule by reviewing the user\u0026rsquo;s sign-in history and recent activity logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eEducate users about phishing and other social engineering tactics to prevent credential theft (T1566).\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location, device, and other factors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-azure-unfamiliar-signin/","summary":"This alert detects Azure AD sign-ins with properties unfamiliar to the user, indicating potential account compromise or unauthorized access.","title":"Azure AD Sign-In with Unfamiliar Properties","url":"https://feed.craftedsignal.io/briefs/2024-01-30-azure-unfamiliar-signin/"}],"language":"en","title":"CraftedSignal Threat Feed — Identity_protection","version":"https://jsonfeed.org/version/1.1"}