Azure Suspicious Access from GCP Cloud
Detection overview
Triggers
- An account has been accessed successfully from a GCP public cloud IP which is unusual for this account.
- Vectra AI Platform�s AI continuously learns whether a cloud provider and region are typical for a given user based on their history.
Possible Root Causes
- An attacker has successfully logged into an account using a GCP public cloud IP. The attacker uses a public IP to mask their true location, making the access appear to originate from a normal geolocation and IP space.
- A user or user-connected software has logged into an account from a GCP public cloud IP provider and region for the first time. This may reflect legitimate usage or the initiation of a cloud-based service associated with the account.
Business Impact
- An attacker who gains access to an internal account can leverage connected applications to further their attack.
Steps to Verify
- Review if the account owner has a legitimate reason to access their account from the GCP public cloud.
- Examine available logs to determine if there has been any progression of the attack.
- Contact the account owner to confirm whether the observed activity was initiated by them.
Azure Suspicious Access from GCP Cloud
Possible root causes
Malicious Detection
Benign Detection
Azure Suspicious Access from GCP Cloud
Example scenarios
Azure Suspicious Access from GCP Cloud
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Suspicious Access from GCP Cloud
Steps to investigate
Azure Suspicious Access from GCP Cloud
MITRE ATT&CK techniques covered
Azure Suspicious Access from GCP Cloud
Related detections
No items found.