{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/microsoft-365/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft 365"],"_cs_severities":["medium"],"_cs_tags":["cloud","identity","microsoft 365","initial access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious Microsoft 365 login activity indicative of \u0026ldquo;impossible travel,\u0026rdquo; where a user successfully logs in from two geographically distant locations (different countries) within a short timeframe (e.g., 15 minutes). This behavior is often associated with account compromise, where an attacker gains unauthorized access to a legitimate user\u0026rsquo;s credentials and attempts to access resources from a different location. The rule focuses on Azure Active Directory (Entra ID) logins and filters out specific application IDs and request types known to cause false positives. This detection is crucial for identifying and responding to potential breaches of M365 accounts, which can lead to data exfiltration, business email compromise (BEC), or other malicious activities. This behavior can be easily missed without automated detection because legitimate users should not be able to log in from geographically distant locations within a short time.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e The attacker obtains valid credentials for a Microsoft 365 account, possibly through phishing, credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Login (Location A):\u003c/strong\u003e The attacker uses the compromised credentials to successfully log into the Microsoft 365 portal from Country A. This generates a UserLoggedIn event with outcome:success in the Azure Active Directory audit logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Conditional):\u003c/strong\u003e If the compromised account has elevated privileges, the attacker may attempt to escalate their privileges within the Microsoft 365 environment. This activity is not directly covered by this rule, but it can happen after the initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Conditional):\u003c/strong\u003e After gaining initial access, the attacker may attempt to move laterally within the Microsoft 365 environment, accessing other user accounts or resources. This activity is not directly covered by this rule, but it can happen after the initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLogin from New Location (Location B):\u003c/strong\u003e Within a short timeframe (e.g., 15 minutes), the attacker initiates a new login attempt from Country B, which is geographically distant from Country A. This generates another UserLoggedIn event with outcome:success.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Malicious Activity:\u003c/strong\u003e Having gained access, the attacker performs malicious activities such as exfiltrating sensitive data, sending phishing emails, or modifying critical configurations within the Microsoft 365 environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may attempt to establish persistence within the compromised account, such as creating new mailbox rules or modifying authentication settings to maintain access even if the password is changed. This activity is not directly covered by this rule, but it can happen after the initial access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful \u0026ldquo;impossible travel\u0026rdquo; attack can lead to significant consequences, including unauthorized access to sensitive data, business email compromise (BEC), financial loss, and reputational damage. The number of affected users and the severity of the impact depend on the privileges associated with the compromised account and the attacker\u0026rsquo;s objectives. Organizations across all sectors are vulnerable to this type of attack, particularly those relying heavily on Microsoft 365 for communication, collaboration, and data storage. A successful breach can result in regulatory fines, legal liabilities, and a loss of customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;M365 Identity Login from Impossible Travel Location\u0026rdquo; to your SIEM to detect suspicious login patterns indicative of impossible travel.\u003c/li\u003e\n\u003cli\u003eTune the threshold settings in the Sigma rule \u0026ldquo;M365 Identity Login from Impossible Travel Location\u0026rdquo; to minimize false positives based on your organization\u0026rsquo;s travel patterns and VPN usage.\u003c/li\u003e\n\u003cli\u003eReview and enhance multi-factor authentication (MFA) policies for all users, especially those with privileged accounts, to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified \u0026ldquo;impossible travel\u0026rdquo; events promptly, following the triage and analysis steps outlined in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor user activity for signs of lateral movement, privilege escalation, and data exfiltration following any detected \u0026ldquo;impossible travel\u0026rdquo; events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-04T12:00:00Z","date_published":"2024-09-04T12:00:00Z","id":"/briefs/2024-09-m365-impossible-travel/","summary":"Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short timeframe, potentially indicating account compromise or unauthorized access.","title":"M365 Identity Login from Impossible Travel Location","url":"https://feed.craftedsignal.io/briefs/2024-09-m365-impossible-travel/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft 365","version":"https://jsonfeed.org/version/1.1"}