Successful Microsoft Entra sign-in from a new country
Description
AlphaSOC detected a successful interactive sign-in to Microsoft Entra ID. While successful authentications are expected, certain conditions such as sign-ins from new locations, anomalous user agents, or sign-ins without multi-factor authentication (MFA) may indicate potential account compromise. Threat actors who obtain valid credentials can access organizational resources without triggering authentication failures, making it crucial to investigate successful sign-ins that deviate from normal patterns.
Impact
Successful sign-ins under unusual circumstances may indicate account compromise. Threat actors who obtain valid credentials through phishing, credential stuffing, or other methods can access organizational resources without triggering authentication failures. Unauthorized access to Entra accounts can lead to data theft, lateral movement within connected applications, and potential privilege escalation.
Severity
| Severity | Condition |
|---|---|
Informational | Successful sign-in |
Low | Sign-in from a new country or with anomalous user agent |
Medium | Sign-in without MFA or unexpected login |
Investigation and Remediation
Review the Entra sign-in logs to examine the authentication context including source IP address, location, device, and user agent. Verify with the user whether the sign-in was legitimate. For impossible travel alerts, determine whether the user could have traveled between locations or if VPN usage explains the discrepancy. For sign-ins without MFA, enable or enforce multi-factor authentication. If the sign-in appears unauthorized, reset the user's credentials, revoke active sessions, and review recent account activity for indicators of compromise.