[THEME] Login Protection
The Login Protection theme monitors login attempts to your Microsoft 365 environment and compares them against databases of known phishing attacks and suspicious activity patterns.
What does Attic do?
Attic continuously analyzes login activity to detect threats such as logins from known malicious IP addresses, suspicious user agents, and visits to phishing URLs. This theme also includes Clone Detection and the Attic Chrome Extension for additional browser-level protection.
The checks and rules in this theme cover:
- Detection of logins from cloud provider infrastructure (often used by attackers)
- Logins from IP addresses associated with known threat intelligence
- Suspicious login attempts with empty or unusual user agents
- Detection of suspicious or malicious URLs being clicked or visited
- Clone Detection and Login Seal monitoring
- Conditional Access Policy monitoring
Why is this important?
Hackers don't break in — they log in. By monitoring login patterns and comparing them against threat intelligence, Attic can detect compromised accounts and suspicious access before damage occurs. This proactive approach helps identify attacks that traditional security measures might miss.
Checks in this theme
| ID | Check |
|---|---|
| CHK-1109 | Clone Detection |
| CHK-1103 | Clone Intervention Screen |
| CHK-1110 | Login Authenticity Seal |
| CHK-1111 | Log Monitoring |
| CHK-1112 | Attic Monthly Report |
| CHK-1158 | Microsoft365 Portal Clone Detected |
| CHK-1820 | Attic AitM Blocker installed |
| RULE-1151 | Suspicious login (cloud provider) |
| RULE-1154 | Suspicious login (threat intelligence) |
| RULE-1155 | Suspicious login (empty user agent) |
| RULE-1156 | Suspicious login (pattern) |
| RULE-1157 | Click on phishing link |
| RULE-1158 | Visits to phishing sites |
| CHK-1600 | Authenticity Seal Validator App |
| CHK-1420 | Protection Alert Notifications |
| CHK-1114 | Conditional Access Policies |