General

This rule allows Attic to check successful login attempts on the tenant for suspicious User Agents.

Rationale

Research has shown that AiTM attackers log in to Microsoft environments using specific, relatively uncommon user agents. Detections of these user agents should therefore be investigated for potential misuse.

Attic Fix

A Fix is available for this detection which blocks the account in question. This action prevents further damage, but it is advisable to conduct follow-up investigation into the activities of the account since the login attempt.

If you have an IR Subscription, engage our experts to perform the follow-up investigation.

Manual follow-up

Follow these steps to adequately handle this detection:

1. Open the Entra admin portal: https://entra.microsoft.com
2. Go to Identity, then Monitoring & Health, and then Sign-in logs
3. Locate the log entry from the Attic alert
4. Investigate the login attempt and, only if it can be determined that the alert is a false positive:
   1. Block the user account
   2. Reset the password and revoke logged-in sessions
   3. Investigate the account for suspicious behavior, changed authentication methods, and suspicious App Consents. Zolder can assist with this.
   4. Only re-enable the account when it is deemed safe for use again.

More information

1. https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/token-theft-protection-with-microsoft-entra-intune-defender-xdr--windows/4265675