Suspicious Login (Threat Intelligence) [RULE-1154]
Attic's detection rules flag sign-in attempts that match patterns commonly associated with cybercriminal behavior. This rule, RULE-1154, triggers an alert when a login attempt is detected from a source known in the Attic threat intelligence database.
Rationale
Suspicious sign-in attempts are strong indicators of adversary-in-the-middle (AiTM) attacks. During these attacks, phishing kits try to log into your accounts to capture passwords and cookies. These automated tools often exhibit patterns that differ from legitimate user behavior, such as rapid repeated attempts, unusual timing patterns, or specific request signatures commonly associated with credential harvesting and session hijacking.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Microsoft Entra ID: https://entra.microsoft.com
- Temporarily block the account.
- Revoke all active user sessions.
- Investigate the authentication methods to see if a new one was added.
- Check for any newly registered applications.
- Review other suspicious activity by the account since the login attempt, using the Unified Audit Log: https://security.microsoft.com/auditlogsearch
- Before unblocking the account: change the account's password.
If you need help with these steps, the Attic IR team can assist. You will need an IR Credit Pack for this.
Impact
The login attempt was successful if the error code is 0, which means access was gained. The data found includes the time of the login attempt, the IP address used, the account targeted, and the error code.