Suspicious Login (Empty User Agent) [RULE-1155]
Attic flags sign-in attempts that exhibit patterns associated with cybercriminal behavior. One such pattern is a login attempt with an empty user agent, which is indicative of an adversary-in-the-middle (AITM) attack.
Rationale
AITM attacks involve phishing kits attempting to log into your accounts to capture passwords and cookies. These attacks often display specific patterns, such as empty user agents, that deviate from legitimate user behavior.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Microsoft Entra ID: https://entra.microsoft.com
- Temporarily block the account
- Revoke all active user sessions
- Investigate the authentication methods to see if a new one was added
- Check for any newly registered applications
- Review other suspicious activity by the account since the login attempt, using the Unified Audit Log: https://security.microsoft.com/auditlogsearch
- Before unblocking the account: change the account's password
Impact
Upon successful implementation of the fix, the potential AITM attack is mitigated, and the account's security is restored.