Microsoft 365 Portal Login from Rare Location

Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft 365 account from an unusual location or behind a VPN.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/09/04"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not
 11commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft
 12365 account from an unusual location or behind a VPN.
 13"""
 14false_positives = [
 15    """
 16    False positives may occur when users are using a VPN or when users are traveling to different locations.
 17    """,
 18]
 19from = "now-9m"
 20index = ["filebeat-*", "logs-o365.audit-*"]
 21language = "kuery"
 22license = "Elastic License v2"
 23name = "Microsoft 365 Portal Login from Rare Location"
 24references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
 25risk_score = 47
 26rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
 27severity = "medium"
 28tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide"]
 29timestamp_override = "event.ingested"
 30type = "new_terms"
 31
 32query = '''
 33event.dataset: "o365.audit"
 34    and event.provider: "AzureActiveDirectory"
 35    and event.action: "UserLoggedIn"
 36    and event.outcome: "success"
 37    and not o365.audit.UserId: "Not Available"
 38    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 39'''
 40note = """## Triage and analysis
 41
 42> **Disclaimer**:
 43> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 44
 45### Investigating Microsoft 365 Portal Login from Rare Location
 46
 47Microsoft 365 is a cloud-based suite offering productivity tools accessible from anywhere, making it crucial for business operations. Adversaries may exploit this by logging in from uncommon locations, potentially using VPNs to mask their origin. The detection rule identifies successful logins from atypical locations, flagging potential unauthorized access attempts by analyzing login events and user location patterns.
 48
 49### Possible investigation steps
 50
 51- Review the login event details from the o365.audit dataset to confirm the user's identity and the timestamp of the login.
 52- Analyze the location data associated with the login event to determine if it is indeed rare or unusual for the user's typical access patterns.
 53- Check the user's recent login history to identify any other logins from the same rare location or any other unusual locations.
 54- Investigate the IP address used during the login to determine if it is associated with known VPN services or suspicious activity.
 55- Contact the user to verify if they initiated the login from the rare location or if they are aware of any unauthorized access attempts.
 56- Examine any recent changes to the user's account settings or permissions that could indicate compromise or unauthorized access.
 57- Correlate this event with other security alerts or logs to identify any patterns or additional indicators of compromise.
 58
 59### False positive analysis
 60
 61- Users traveling frequently may trigger alerts due to logins from new locations. Implement a process to update known travel patterns for these users to reduce false positives.
 62- Employees using VPNs for legitimate purposes might appear to log in from rare locations. Maintain a list of approved VPN IP addresses and exclude them from triggering alerts.
 63- Remote workers who occasionally connect from different locations can cause false positives. Establish a baseline of expected locations for these users and adjust the detection rule accordingly.
 64- Shared accounts accessed by multiple users from different locations can lead to false alerts. Consider monitoring these accounts separately and applying stricter access controls.
 65- Temporary relocations, such as business trips or remote work arrangements, may result in unusual login locations. Communicate with users to anticipate these changes and adjust the detection parameters temporarily.
 66
 67### Response and remediation
 68
 69- Immediately isolate the affected user account by disabling it to prevent further unauthorized access.
 70- Notify the user and relevant IT security personnel about the suspicious login activity to ensure awareness and initiate further investigation.
 71- Conduct a password reset for the affected account and enforce multi-factor authentication (MFA) if not already enabled to enhance account security.
 72- Review and analyze recent activity logs for the affected account to identify any unauthorized actions or data access that may have occurred.
 73- If unauthorized access is confirmed, initiate a security incident response plan, including data breach notification procedures if necessary.
 74- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or accounts are compromised.
 75- Implement geo-blocking or conditional access policies to restrict access from rare or high-risk locations, reducing the likelihood of similar incidents in the future."""
 76
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80[[rule.threat.technique]]
 81id = "T1078"
 82name = "Valid Accounts"
 83reference = "https://attack.mitre.org/techniques/T1078/"
 84[[rule.threat.technique.subtechnique]]
 85id = "T1078.004"
 86name = "Cloud Accounts"
 87reference = "https://attack.mitre.org/techniques/T1078/004/"
 88
 89
 90
 91[rule.threat.tactic]
 92id = "TA0001"
 93name = "Initial Access"
 94reference = "https://attack.mitre.org/tactics/TA0001/"
 95
 96[rule.new_terms]
 97field = "new_terms_fields"
 98value = ["o365.audit.UserId", "source.geo.country_name"]
 99[[rule.new_terms.history_window_start]]
100field = "history_window_start"
101value = "now-14d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Microsoft 365 Portal Login from Rare Location

Microsoft 365 is a cloud-based suite offering productivity tools accessible from anywhere, making it crucial for business operations. Adversaries may exploit this by logging in from uncommon locations, potentially using VPNs to mask their origin. The detection rule identifies successful logins from atypical locations, flagging potential unauthorized access attempts by analyzing login events and user location patterns.

Possible investigation steps

  • Review the login event details from the o365.audit dataset to confirm the user's identity and the timestamp of the login.
  • Analyze the location data associated with the login event to determine if it is indeed rare or unusual for the user's typical access patterns.
  • Check the user's recent login history to identify any other logins from the same rare location or any other unusual locations.
  • Investigate the IP address used during the login to determine if it is associated with known VPN services or suspicious activity.
  • Contact the user to verify if they initiated the login from the rare location or if they are aware of any unauthorized access attempts.
  • Examine any recent changes to the user's account settings or permissions that could indicate compromise or unauthorized access.
  • Correlate this event with other security alerts or logs to identify any patterns or additional indicators of compromise.

False positive analysis

  • Users traveling frequently may trigger alerts due to logins from new locations. Implement a process to update known travel patterns for these users to reduce false positives.
  • Employees using VPNs for legitimate purposes might appear to log in from rare locations. Maintain a list of approved VPN IP addresses and exclude them from triggering alerts.
  • Remote workers who occasionally connect from different locations can cause false positives. Establish a baseline of expected locations for these users and adjust the detection rule accordingly.
  • Shared accounts accessed by multiple users from different locations can lead to false alerts. Consider monitoring these accounts separately and applying stricter access controls.
  • Temporary relocations, such as business trips or remote work arrangements, may result in unusual login locations. Communicate with users to anticipate these changes and adjust the detection parameters temporarily.

Response and remediation

  • Immediately isolate the affected user account by disabling it to prevent further unauthorized access.
  • Notify the user and relevant IT security personnel about the suspicious login activity to ensure awareness and initiate further investigation.
  • Conduct a password reset for the affected account and enforce multi-factor authentication (MFA) if not already enabled to enhance account security.
  • Review and analyze recent activity logs for the affected account to identify any unauthorized actions or data access that may have occurred.
  • If unauthorized access is confirmed, initiate a security incident response plan, including data breach notification procedures if necessary.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or accounts are compromised.
  • Implement geo-blocking or conditional access policies to restrict access from rare or high-risk locations, reducing the likelihood of similar incidents in the future.

References

Related rules

to-top