M365 Identity Login from Atypical Region

May 7, 2026 · Domain: Cloud Domain: Identity Data Source: Microsoft 365 Data Source: Microsoft 365 Audit Logs Use Case: Threat Detection Use Case: Identity and Access Audit Tactic: Initial Access Resources: Investigation Guide ·

Share on:

Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated from in a specific time window. Atypical regions are identified by combining the user's country and region geolocation history; an authentication from a new country/region pair for that user may indicate an adversary attempting to access the account from an unusual location or behind a VPN.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/09/04"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/05/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated
 11from in a specific time window. Atypical regions are identified by combining the user's country and region geolocation history; an
 12authentication from a new country/region pair for that user may indicate an adversary attempting to access the
 13account from an unusual location or behind a VPN. 
 14"""
 15false_positives = [
 16    """
 17    False positives may occur when users are using a VPN or when users are traveling to different locations"
 18    """,
 19    """
 20    Mobile access may also result in false positives, as users may log in from various locations while on the go.
 21    """,
 22]
 23from = "now-15m"
 24index = ["logs-o365.audit-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "M365 Identity Login from Atypical Region"
 28note = """## Triage and analysis
 29
 30### Investigating M365 Identity Login from Atypical Region
 31
 32Microsoft 365 is a cloud-based suite offering productivity tools accessible from anywhere, making it crucial for business operations. Adversaries may exploit this by logging in from uncommon regions, potentially using VPNs to mask their origin. The detection rule identifies successful logins from atypical country/region pairs for a given user, flagging potential unauthorized access attempts by analyzing login events and user location patterns at country and region granularity.
 33
 34### Possible investigation steps
 35
 36- Review the user associated with these sign-ins to determine if the login attempt was legitimate or if further investigation is needed.
 37- Analyze the geographic locations of the logins to identify any patterns or anomalies that may indicate malicious activity.
 38- Review the ISP information for the login attempts to identify any unusual or suspicious providers.
 39- Review the authorization request type to understand the context of the login attempts and whether they align with the user's typical behavior.
 40- Analyze the client application used for the login attempts to determine if it is consistent with the user's normal usage patterns (Teams, Office, etc.)
 41- Analyze the user-agent associated with the login attempts to identify any unusual or suspicious patterns. These could also indicate mobile and endpoint logins causing false-positives.
 42
 43### False positive analysis
 44
 45- Users traveling or using VPNs may trigger this alert. Verify with the user if they were traveling or using a VPN at the time of the login attempt.
 46- Mobile access may also result in false positives, as users may log in from various locations while on the go.
 47
 48### Response and remediation
 49
 50- Investigate the login attempt further by checking for any additional context or related events that may provide insight into the user's behavior.
 51- If the login attempt is deemed suspicious, consider implementing additional security measures, such as requiring multi-factor authentication (MFA) for logins from unusual locations.
 52- Educate users about the risks of accessing corporate resources from unfamiliar locations and the importance of using secure connections (e.g., VPNs) when doing so.
 53- Monitor for any subsequent login attempts from the same location or IP address to identify potential patterns of malicious activity.
 54- Consider adding exceptions to this rule for the user or source application ID if the login attempts are determined to be legitimate and not a security concern.
 55"""
 56references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
 57risk_score = 47
 58rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
 59severity = "medium"
 60tags = [
 61    "Domain: Cloud",
 62    "Domain: Identity",
 63    "Data Source: Microsoft 365",
 64    "Data Source: Microsoft 365 Audit Logs",
 65    "Use Case: Threat Detection",
 66    "Use Case: Identity and Access Audit",
 67    "Tactic: Initial Access",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "new_terms"
 72
 73query = '''
 74data_stream.dataset:o365.audit and
 75    event.provider:AzureActiveDirectory and
 76    event.action:UserLoggedIn and
 77    event.outcome:success and
 78    o365.audit.Target.Type:(0 or 10 or 2 or 3 or 5 or 6) and
 79    o365.audit.UserId:(* and not "Not Available") and
 80    source.geo.country_name:* and
 81    source.geo.region_name:* and
 82    not o365.audit.ApplicationId:(
 83        29d9ed98-a469-4536-ade2-f981bc1d605e or
 84        38aa3b87-a06d-4817-b275-7a316988d93b or
 85        a809996b-059e-42e2-9866-db24b99a9782 or
 86        08e18876-6177-487e-b8b5-cf950c1e598c or
 87        3e62f81e-590b-425b-9531-cad6683656cf or
 88        d7b530a4-7680-4c23-a8bf-c52c121d2e87
 89    ) and not o365.audit.ExtendedProperties.RequestType:(
 90        "Consent:Set" or
 91        "DeviceAuth:ReprocessTls" or
 92        "Kmsi:kmsi" or
 93        "Login:reprocess" or
 94        "Login:resume" or
 95        "MessagePrompt:MessagePrompt" or
 96        "Saml2:processrequest" or
 97        "SAS:EndAuth" or
 98        "SAS:ProcessAuth"
 99    ) and
100    not user_agent.original:(*iPhone* or *iPad* or *Android* or *PKeyAuth*)
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1078"
108name = "Valid Accounts"
109reference = "https://attack.mitre.org/techniques/T1078/"
110[[rule.threat.technique.subtechnique]]
111id = "T1078.004"
112name = "Cloud Accounts"
113reference = "https://attack.mitre.org/techniques/T1078/004/"
114
115
116
117[rule.threat.tactic]
118id = "TA0001"
119name = "Initial Access"
120reference = "https://attack.mitre.org/tactics/TA0001/"
121
122[rule.investigation_fields]
123field_names = [
124    "@timestamp",
125    "organization.id",
126    "o365.audit.UserId",
127    "o365.audit.ActorIpAddress",
128    "o365.audit.ApplicationId",
129    "o365.audit.ExtendedProperties.RequestType",
130    "o365.audit.Target.ID",
131    "source.geo.country_name",
132    "source.geo.region_name",
133]
134
135[rule.new_terms]
136field = "new_terms_fields"
137value = ["o365.audit.UserId", "source.geo.country_name", "source.geo.region_name"]
138[[rule.new_terms.history_window_start]]
139field = "history_window_start"
140value = "now-7d"

Triage and analysis

Microsoft 365 is a cloud-based suite offering productivity tools accessible from anywhere, making it crucial for business operations. Adversaries may exploit this by logging in from uncommon regions, potentially using VPNs to mask their origin. The detection rule identifies successful logins from atypical country/region pairs for a given user, flagging potential unauthorized access attempts by analyzing login events and user location patterns at country and region granularity.

Possible investigation steps

Review the user associated with these sign-ins to determine if the login attempt was legitimate or if further investigation is needed.
Analyze the geographic locations of the logins to identify any patterns or anomalies that may indicate malicious activity.
Review the ISP information for the login attempts to identify any unusual or suspicious providers.
Review the authorization request type to understand the context of the login attempts and whether they align with the user's typical behavior.
Analyze the client application used for the login attempts to determine if it is consistent with the user's normal usage patterns (Teams, Office, etc.)
Analyze the user-agent associated with the login attempts to identify any unusual or suspicious patterns. These could also indicate mobile and endpoint logins causing false-positives.

False positive analysis

Users traveling or using VPNs may trigger this alert. Verify with the user if they were traveling or using a VPN at the time of the login attempt.
Mobile access may also result in false positives, as users may log in from various locations while on the go.

Response and remediation

Investigate the login attempt further by checking for any additional context or related events that may provide insight into the user's behavior.
If the login attempt is deemed suspicious, consider implementing additional security measures, such as requiring multi-factor authentication (MFA) for logins from unusual locations.
Educate users about the risks of accessing corporate resources from unfamiliar locations and the importance of using secure connections (e.g., VPNs) when doing so.
Monitor for any subsequent login attempts from the same location or IP address to identify potential patterns of malicious activity.
Consider adding exceptions to this rule for the user or source application ID if the login attempts are determined to be legitimate and not a security concern.

References

Time Travelers Busted: How to Detect Impossible Travel | Huntress

Impossible Travel is one of the earliest indicators of user compromise, and it works against any user-centric event that can be tied back to a location. Huntress goes in-depth on this problem, explaining how it works, revealing challenges surrounding it, and offering real-world examples occurring within Microsoft 365.

Read More