General
Attic uses several detection rules to flag sign-in attempts in the Sign-in logs that match patterns commonly associated with cybercriminal behavior.
- RULE-1151 – IP address belongs to a cloud provider
- RULE-1154 – Match with threat intel in Attic’s Threat Intelligence database
- RULE-1155 – Empty user agent
- RULE-1156 – Pattern matches in user agents
Rationale
Sign-in attempts with suspicious characteristics are strong indicators of cybercriminal activity, especially in adversary-in-the-middle (AiTM) attacks.
During an AiTM attack, the phishing kit attempts to log in to your accounts to capture passwords and cookies. These automated tools often exhibit specific patterns that differ from legitimate user behavior — such as rapid repeated attempts, unusual timing patterns, or specific request signatures commonly associated with credential harvesting and session hijacking.
Follow-up
Follow these steps to respond appropriately to this detection:
- Navigate to Microsoft Entra ID: https://entra.microsoft.com
- Temporarily block the account
- Revoke all active user sessions
- Investigate the authentication methods to see if a new one was added
- Check for any newly registered applications
- Review other suspicious activity by the account since the login attempt, using the Unified Audit Log: https://security.microsoft.com/auditlogsearch
- Before unblocking the account: change the account's password
If you need help with these steps, the Attic IR team can carry them out for you. You will need an IR Credit Pack for this.
Comments
0 comments
Please sign in to leave a comment.