Azure AD Suspected Compromised Access
Detection overview
Triggers
- A successful login has occurred to an account with many characteristics that are both unusual for the account and highly correlated with account compromise.
Possible Root Causes
- An adversary has stolen a valid account and is using it as part of an attack.
- A user has shifted multiple aspects of their normal sign-on behavior which match multiple behaviors associated with malicious account takeovers.
Business Impact
- Adversaries frequently bypass security controls through the malicious, unauthorized use of valid credentials.
- The compromise of a valid account may lead to the loss of confidentiality and integrity of any data and services that the account may access, and it may be used in service of additional lateral movement or attacks against other internal users.
Steps to Verify
- Investigate irregularities associated with these login events for indications of compromise.
- Validate the login activities have been performed in accordance with organizational MFA policies, enforcing re-login with MFA if required.
Azure AD Suspected Compromised Access
Possible root causes
Malicious Detection
Benign Detection
Azure AD Suspected Compromised Access
Example scenarios
Azure AD Suspected Compromised Access
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Suspected Compromised Access
Steps to investigate
Azure AD Suspected Compromised Access
Related detections
No items found.