Suspicious Login (User Agent pattern) [RULE-1156]
Attic flags sign-in attempts that match patterns commonly associated with cybercriminal behavior. This includes the detection rule RULE-1156, which identifies suspicious patterns in user agents.
Rationale
Suspicious sign-in patterns are strong indicators of adversary-in-the-middle (AiTM) attacks. During these attacks, phishing kits try to capture passwords and cookies by logging into your accounts. These tools often exhibit specific patterns that differ from legitimate user behavior.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Microsoft Entra ID: https://entra.microsoft.com
- Temporarily block the account
- Revoke all active user sessions
- Investigate the authentication methods to see if a new one was added
- Check for any newly registered applications
- Review other suspicious activity by the account since the login attempt, using the Unified Audit Log: https://security.microsoft.com/auditlogsearch
- Change the account's password before unblocking the account
Impact
Following these steps will help secure the account, preventing further unauthorized access and potential data breaches.