{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sign-in-risk/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft 365"],"_cs_severities":["high"],"_cs_tags":["azure","entra-id","identity-protection","sign-in-risk","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft Entra ID Protection is a service that detects anomalies and risks associated with user sign-ins. This includes detecting sign-ins from anonymized IP addresses (VPN, Tor), identifying unlikely travel patterns, and detecting password spray attacks. This analysis is based on the \u0026quot;Entra ID Protection - Risk Detection - Sign-in Risk\u0026quot; rule from Elastic. The rule leverages Microsoft Entra ID Protection logs to identify potentially malicious or compromised accounts, allowing security teams to quickly triage and respond to these threats. The detections are designed to cover a wide array of initial access techniques targeting cloud environments. The references highlight real-world campaigns targeting Microsoft 365 and Entra ID environments, showing the importance of monitoring these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker attempts to gain initial access using techniques like password spraying (T1110.003) or exploiting valid accounts (T1078).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePassword Spraying:\u003c/strong\u003e The attacker uses a list of common passwords against multiple accounts (T1110.003). Entra ID Protection detects the unusual pattern of failed login attempts across multiple accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAnonymized IP Address:\u003c/strong\u003e The attacker uses VPNs or Tor to mask their location (T1071). Entra ID Protection flags the sign-in due to the use of an anonymizing proxy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnlikely Travel:\u003c/strong\u003e The attacker logs in from a location drastically different from the user's typical locations within a short timeframe. This is flagged by Entra ID Protection as unlikely travel (T1071).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRisk Detection:\u003c/strong\u003e Entra ID Protection detects the sign-in risk event and generates a \u0026quot;User Risk Detection\u0026quot; log.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise:\u003c/strong\u003e If successful, the attacker gains access to the target account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Privilege Escalation (Potential):\u003c/strong\u003e The attacker may attempt to move laterally within the cloud environment or escalate privileges to gain further access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact (Potential):\u003c/strong\u003e The attacker may attempt to exfiltrate sensitive data or cause damage to the organization's resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack following these steps can lead to account compromise, data breaches, and unauthorized access to sensitive resources. Organizations may face financial losses, reputational damage, and legal consequences. The risk detections indicate a potential compromise that requires immediate investigation. By identifying and responding to these sign-in risks, organizations can prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect Entra ID Protection sign-in risk events and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Microsoft Entra ID Protection logs and stream them into your security information and event management (SIEM) system, as required by the rule setup.\u003c/li\u003e\n\u003cli\u003eImplement sign-in risk policies in Entra ID Protection to automatically respond to risk events, such as requiring multi-factor authentication or blocking sign-ins from risky locations, as suggested in the rule's \u0026quot;Response and Remediation\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eReview authentication material such as primary refresh tokens (PRTs) or OAuth tokens to ensure they have not been compromised as mentioned in the rule's \u0026quot;Response and Remediation\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-risk-detection/","summary":"This brief covers detection of sign-in risk events identified by Microsoft Entra ID Protection, including anonymized IP addresses, unlikely travel, and password spray attacks, which can indicate compromised accounts or malicious activity.","title":"Entra ID Protection - Sign-in Risk Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-risk-detection/"}],"language":"en","title":"CraftedSignal Threat Feed - Sign-in-Risk","version":"https://jsonfeed.org/version/1.1"}