Suspicious Login (Cloud Provider) [RULE-1151]
Attic flags sign-in attempts that match patterns associated with cybercriminal behavior. This includes a login attempt originating from an IP address belonging to a cloud provider.
Rationale
Sign-in attempts with suspicious characteristics, such as those from a cloud provider IP, are strong indicators of cybercriminal activity. These patterns are often seen in adversary-in-the-middle (AiTM) attacks where phishing kits attempt to capture passwords and cookies.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Microsoft Entra ID: https://entra.microsoft.com
- Temporarily block the account
- Revoke all active user sessions
- Investigate the authentication methods to see if a new one was added
- Check for any newly registered applications
- Review other suspicious activity by the account since the login attempt, using the Unified Audit Log: https://security.microsoft.com/auditlogsearch
- Before unblocking the account: change the account's password
If you need help with these steps, the Attic IR team can assist. An IR Credit Pack is required for this service.
Impact
Following these steps will help prevent potential AiTM attacks, secure your account, and maintain the integrity of your data.