Triggers
- A login attempt occurred to an account where both conditional access policies were not met and where sign-on attributes (such as location, device, etc.) that are unusual for the account.
Possible Root Causes
- An adversary has stolen a valid account and is attempting to use it as part of an attack but had not yet succeeded in circumventing MFA or other conditional access policies.
- A user has moved and performed a full refresh of their devices and failed to pass MFA or other conditional access policies.
Business Impact
- Adversaries will continue to attempt to bypass security controls until successful unless directly stopped.
- The compromise of a valid account may lead to the loss of confidentiality and integrity of any data and services that the account may access, and it may be used in service of additional lateral movement or attacks against other internal users.
Steps to Verify
- Investigate irregularities associated with this user’s login events for indications of a successful compromise.
- Validate whether these attempts were performed by the account’s proper owner.