A successful login was observed to an account from a country that is unusual for this tenant.
Possible Root Causes
An attacker may sign into the account they have compromised from their true location, or from a random proxy system that does not take into account the valid user’s normal expected location.
A user may be traveling to a new country on business or on vacation, and is signing into their account from there.
Business Impact
Adversaries frequently bypass security controls through the malicious, unauthorized use of valid credentials.
The compromise of a valid account may lead to the loss of confidentiality and integrity of any data and services that account may access, and it may be used in service of additional lateral movement or attacks against other internal users.
Steps to Verify
Validate whether the user in question is expected to sign in from this location (e.g. as part of a business trip).
Azure AD Login From Suspicious Location
Possible root causes
Malicious Detection
Benign Detection
Azure AD Login From Suspicious Location
Example scenarios
Azure AD Login From Suspicious Location
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.