Azure Suspicious Access from AWS Cloud

Azure Suspicious Access from AWS Cloud

Detection overview

Triggers

  • An account has been accessed successfully from an AWS public cloud IP which is unusual for this account.
  • Vectra AI Platform�s AI continuously learns whether a cloud provider and region are typical for a given user based on their history.

Possible Root Causes

  • An attacker has successfully logged into an account using an AWS public cloud IP. The attacker uses a public IP to mask their true location, making the access appear to originate from a normal geolocation and IP space.
  • A user or user-connected software has logged into an account from an AWS public cloud IP provider and region for the first time. This may reflect legitimate usage or the initiation of a cloud-based service associated with the account.

Business Impact

  • An attacker who gains access to an internal account can leverage connected applications to further their attack.

Steps to Verify

  • Review if the account owner has a legitimate reason to access their account from the AWS public cloud.
  • Examine available logs to determine if there has been any progression of the attack.
  • Contact the account owner to confirm whether the observed activity was initiated by them.
Azure Suspicious Access from AWS Cloud

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Access from AWS Cloud

Example scenarios

Azure Suspicious Access from AWS Cloud

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Access from AWS Cloud

Steps to investigate

Azure Suspicious Access from AWS Cloud

MITRE ATT&CK techniques covered

Azure Suspicious Access from AWS Cloud

Related detections

No items found.

FAQs