Azure Suspicious Access from GCP Cloud

Azure Suspicious Access from GCP Cloud

Detection overview

Triggers

  • An account has been accessed successfully from a GCP public cloud IP which is unusual for this account.
  • Vectra AI Platform�s AI continuously learns whether a cloud provider and region are typical for a given user based on their history.

Possible Root Causes

  • An attacker has successfully logged into an account using a GCP public cloud IP. The attacker uses a public IP to mask their true location, making the access appear to originate from a normal geolocation and IP space.
  • A user or user-connected software has logged into an account from a GCP public cloud IP provider and region for the first time. This may reflect legitimate usage or the initiation of a cloud-based service associated with the account.

Business Impact

  • An attacker who gains access to an internal account can leverage connected applications to further their attack.

Steps to Verify

  • Review if the account owner has a legitimate reason to access their account from the GCP public cloud.
  • Examine available logs to determine if there has been any progression of the attack.
  • Contact the account owner to confirm whether the observed activity was initiated by them.
Azure Suspicious Access from GCP Cloud

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Access from GCP Cloud

Example scenarios

Azure Suspicious Access from GCP Cloud

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Access from GCP Cloud

Steps to investigate

Azure Suspicious Access from GCP Cloud

MITRE ATT&CK techniques covered

Azure Suspicious Access from GCP Cloud

Related detections

No items found.

FAQs