{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/impossible-travel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["azuread","identity-protection","impossible-travel","account-compromise","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects \u0026ldquo;impossible travel\u0026rdquo; events within Azure Active Directory (Azure AD), a common indicator of account compromise. The scenario involves a user account exhibiting login activity from two geographically distant locations in a timeframe that makes physical travel between them impossible. This anomalous behavior often signifies that an attacker has gained unauthorized access to the account and is operating from a different location than the legitimate user. The rule leverages Azure AD Identity Protection\u0026rsquo;s risk detection capabilities to identify such instances. This detection is crucial for defenders as it highlights potential breaches and enables swift remediation actions to prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials, potentially through phishing (T1566), credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Azure AD from a geographic location different from the legitimate user\u0026rsquo;s typical location.\u003c/li\u003e\n\u003cli\u003eShortly after the initial authentication, the legitimate user authenticates to Azure AD from their usual location.\u003c/li\u003e\n\u003cli\u003eAzure AD Identity Protection flags the activity as \u0026ldquo;impossible travel\u0026rdquo; due to the conflicting geographic locations and the short timeframe between the authentications.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;impossibleTravel\u0026rdquo; risk event is logged within Azure AD\u0026rsquo;s risk detection logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges within the compromised account (T1068) to gain broader access to resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may move laterally within the organization (T1021) to access sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s ultimate goal could be data exfiltration, financial theft, or disruption of services, depending on the organization\u0026rsquo;s profile.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful \u0026ldquo;impossible travel\u0026rdquo; attack can lead to a full compromise of the user\u0026rsquo;s account, granting the attacker access to sensitive data, internal systems, and other resources accessible to the user. Depending on the user\u0026rsquo;s role and permissions, the impact could range from data breaches to financial losses and significant reputational damage. Organizations in all sectors are vulnerable, with a higher risk for those handling sensitive data or operating critical infrastructure. The number of affected users depends on the attacker\u0026rsquo;s ability to move laterally and escalate privileges after compromising the initial account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;impossible travel\u0026rdquo; events flagged by Azure AD Identity Protection, focusing on the \u003ccode\u003eriskEventType: 'impossibleTravel'\u003c/code\u003e (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the user account involved and the geographic locations of the login attempts (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eReview and enhance user training programs to educate employees on the risks of phishing and credential compromise (T1566).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of unauthorized access even if credentials are compromised (T1110).\u003c/li\u003e\n\u003cli\u003eReview and adjust the sensitivity of Azure AD Identity Protection\u0026rsquo;s risk detection policies to align with your organization\u0026rsquo;s risk tolerance.\u003c/li\u003e\n\u003cli\u003eConsider implementing conditional access policies that restrict access based on geographic location or require MFA for logins from unfamiliar locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-impossible-travel/","summary":"This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.","title":"Impossible Travel Detection in Azure AD","url":"https://feed.craftedsignal.io/briefs/2024-01-impossible-travel/"}],"language":"en","title":"CraftedSignal Threat Feed — Impossible-Travel","version":"https://jsonfeed.org/version/1.1"}