How to detect a cyberattack in Azure AD

Stop an attack in Azure AD!

Let's see how an analyst using Vectra can detect and respond to attackers targeting Azure AD federated applications and the Azure AD backend.

 

Account Compromised in Azure AD

 

You can see thatjohn@corp.ai is prioritized as an active compromise with several different Vectra detections correlated to the account.

 

Let's investigatejohn@corp.ai to understand what might be happening.

Malicious activity in a Azure AD account: sign of a cyberattack.

 

You can see the account performed several actions that triggered alerts, including

  • A suspicious authentication
  • An unusual use of Powershell
  • The creation of a new admin accounts
  • Changes to account permissions
  • Creation of exfiltration channels with M365 Power Automate

 

Command & Control, Lateral Movement, Data Exfiltration activities in Azure AD.

 

Azure AD Suspicious Sign-on

 

Let's take a deeper look at these alerts by clicking Expand All.

 

You can see details of a sign-on that could be the start of an account compromise.

This alert was generated by an AI algorithm that considers 20+ different attributes of the sign-in to determine if this is an attacker sign-in.

How to deep dive into a suspicious activity detected in Azure AD.

 

To understand more about this type of Vectra detection, click ? to review the in-app explanation page.

Review the explainer page and find the details that will help us respond to alerts like the MITRE ATT&CK techniques, actions that trigger the detection, and the impact of the attacker's behavior.

 

The Azure AD Suspicious Sign-On explainer page and its ranking in the MITRE ATT&CK framework.

When you are done reviewing, click x to continue investigating the sign-in event.

 

Account Compromise investigation in Azure AD

 

Now that we understand how this detection works, let's investigate and understand: 

  • Was MFA bypassed?
  • How did the attacker sign-in?
  • Was the login location different than the baseline?
  • Was the device different from the baseline?

 

Account Compromise investigation in Azure AD

MFA bypass in Azure AD

 

The investigation reveals that this was a compromised access event.

 

The attacker bypassed MFA, and anomalously signed-in from Russia with a Windows device.

 

Let's investigate deeper to understand more about what the attacker accessed.

 

The attacker bypassed MFA, and anomalously signed-in from Russia with a Windows device.

 

Let's investigate the raw logs to see what other actions the attacker has done.

 

Click Instant Investigation for query-less access to the account's historical activity in Azure AD and M365.

 

Investigate the attackers historical data and check what he has been doing in your network.

 

We can complete our investigation by looking at john@corp.ai's historical Azure AD and M365 activity.

 

Let's focus on the Azure AD Sign-in activity to understand if this compromised account accessed other SaaS services.

 

We can complete our investigation by looking at john@corp.ai's historical Azure AD and M365 activity.

 

This look like the malicious access from before.

 

Click the row to see all the services accessed.

 

Malicious access detected in Microsoft Azure AD.

 

We can see that the attacker accessed Salesforce and Box in addition to the Powershell module.

 

We have enough information to stop the attacker by disabling the account and blocking the attacker's access.

We can see that the attacker accessed Salesforce and Box in addition to the Powershell module.

 

Attack Stopped!

Want to start seeing and stopping Azure AD compromises in your environment?

 

Detect and prevent cyberattack in Azure AD

Vectra not only detects attackers but can also help prevent them.

 

Let's look at this dashboard to see the normal user access activity related to security controls and validate whether controls put in place are being bypassed.

Vectra's Platform does not only detect attackers but can also help prevent them.

 

One security control we can review is who has access to Powershell.

 

Click AzureAD PowerShell Logins to see who else has access to Powershell and review if we should limit their access.

 

Prevent a cyberattack in Azure AD

 

How to prevent a cyberattack in Azure AD

 

You can see the compromised access from john@corp.ai and a few other users.

 

We can now block john@corp.ai and the other users' access to Powershell to prevent its use in future attacks.

Powershell as been compromised.

 

Attacks Prevented!

Vectra’s detections are more accurate than SIEM’s

Vectra improved the quality of Azure AD and M365 threat detections that Blackstone receives compared to alerts from the native solution and their SIEM? 

“Our alert volume has been reduced by 90% since Vectra’s ML assesses more features and context in the models, which leads to more accurate detections.” - Kevin Kennedy, Senior Vice President, Cybersecurity Blackstone 
Read the Case Study

Want to start seeing and stopping Azure AD compromises in your own environment?

Discover the Vectra Platform