Command & Control

Azure AD Login From Suspicious Location

Azure AD Login From Suspicious Location

Detection overview

Triggers

  • A successful login was observed to an account from a country that is unusual for this tenant.

Possible Root Causes

  • An attacker may sign into the account they have compromised from their true location, or from a random proxy system that does not take into account the valid user’s normal expected location.
  • A user may be traveling to a new country on business or on vacation, and is signing into their account from there.

Business Impact

  • Adversaries frequently bypass security controls through the malicious, unauthorized use of valid credentials.
  • The compromise of a valid account may lead to the loss of confidentiality and integrity of any data and services that account may access, and it may be used in service of additional lateral movement or attacks against other internal users.

Steps to Verify

  • Validate whether the user in question is expected to sign in from this location (e.g. as part of a business trip).

Azure AD Login From Suspicious Location

Possible root causes

Malicious Detection

Benign Detection

Azure AD Login From Suspicious Location

Example scenarios

Azure AD Login From Suspicious Location

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure AD Login From Suspicious Location

Steps to investigate

Azure AD Login From Suspicious Location

MITRE ATT&CK techniques covered

Azure AD Login From Suspicious Location

Related detections

No items found.

FAQs