Tips on detecting suspicious sign in activity from phishing attack (AiTM)! (Using Entra ID & M365 as example)
Hi all, I am a cybersecurity analyst with 1 year and 6 month experience. Im writing this for fun and to teach some people who maybe interested and are at a beginner level on detecting suspicious sign in activity. In my example Im going to be using Entra ID, as this is the most common IAM solution and the one Im most familiar monitoring. First step is analyzing the alert you received in the queue. "Impossible travel time" or "Anomalous sign in activity" "sign in from bad IP" - These are the type of suspicious authentication logs that you will see in the SOC. Gather all the information: time generated (time of the sign in) app that was logged into (ex officehome, msgraph) username/email IP address device info (will normally be blank if its tuned properly, if its coming from managed trusted AD device it is a big indicator its benign so need to tune it to avoid FP for VPN usuage) locationdetails (will be crucial to see which location logged from, will determine later if its physical location or location from VPN server) user agent (crucial to detect what type of device it's coming from, potential spoofing as well) Then you can run a query like this (will differ greatly based off your SIEM querying lanaguage, Im using Kusto MS Sentinel) Signinlogs | Summarize count by timegenerated, appname ,userprincipalname, IPaddress, tostring(locationdetails), tostring(deviceinfo), useragent | where resulttype == 0 (filtering to see successful sign in attempts only) \^ use a query like this to gather all crucial details, we can then use the time range to see 24 hours and then compare past previous sign ins from last 2-3 weeks to see a baseline, for location, IP address, device info, to see if they have accessed that app before. Once you determine the sign in activity is indeed suspicious, its a combination of blank device details (non managed device), new IP address, new useragent or a suspicious useragent (potential spoofed), new app that's been used and potential impossible travel based off the last successful login). We need to analyze what type of IP address is being used, from either a VPN server or a ISP IP (will show approximate physical location of actual sign in). NEVER just focus on the IP reputation, vast majority of the true positives I caught are all coming from clean IP reputations, threat actors are smart enough to know that if their IP address has been flagged and reported numerous times, their sign in activity will be blocked. Analyze the ISP info, a threat actor MAJORITY of the time will be using an IP address from a suspicious VPN server, you can do a ISP search for that VPN name and most of the time it will be something foreign. Once you confirm the IP is coming from a suspicious entity such as a VPN server that is not authorized to be used in the company or its a VPN server with suspicious name, can confirm it's indeed malicious. From there you can quickly check Auditlogs table to see any major changes to the users account. Most threat actors will remove and change the comprised users MFA, will remove the comprised user mobile device and probably add theirs. From here, you can check the email logs and url click events on the suspicious link that was clicked for them to be comprised. Once you find that suspicious email you can plug that phishing URL into a interactive sandbox such as Browserling to confirm it. Some threat actors phishing sites are capable of detecting sandboxes and won't show their sign in page so be wary of that, but this isn't very common. After detecting all these suspicious events, you can begin to lock the users account, resetting MFA settings and starting the IR process and doing some forensics on what the threat actor did. Will have to look for: \- Potential data exfiltration attempts. Can detect this from email logs or web traffic logs. \- Potential lateral movement, the threat actor will likely send the same phishing email but this time from comprised users account to other internal users. Can detect this from email events as well. \- File modifications - the threat actor could have modified a file, deleted a file, for this can check logs such as office activity (365 events)
AI Analysis
Technical Summary
The provided information describes a phishing attack scenario involving Account-in-the-Middle (AiTM) techniques targeting Microsoft Entra ID (formerly Azure AD) and Microsoft 365 environments. The threat centers on detecting suspicious sign-in activities that indicate potential credential compromise and unauthorized access. The analyst outlines a methodical approach to identifying such malicious activity by leveraging security alerts like "Impossible travel time," "Anomalous sign-in activity," and "Sign-in from bad IP." Key indicators include unusual login times, new or suspicious IP addresses (often VPN-based), unfamiliar user agents, and blank or missing device information, which may suggest non-managed or spoofed devices. The analyst emphasizes the importance of correlating these indicators with historical baseline sign-in data over several weeks to distinguish legitimate from malicious activity. Further investigation involves querying sign-in logs using tools like Microsoft Sentinel with Kusto Query Language to aggregate and analyze relevant fields such as username, IP address, device info, and application accessed. The approach also includes verifying whether IP addresses originate from suspicious VPN providers, as threat actors often use clean IP reputations to evade detection. Post-compromise activities are monitored through audit logs to detect changes in MFA settings, device registrations, and other account modifications. Email logs and URL click events are examined to trace phishing vectors and confirm malicious URLs, sometimes using sandbox environments. Once suspicious activity is confirmed, immediate incident response steps include locking the compromised account, resetting MFA, and conducting forensic analysis to identify data exfiltration, lateral movement via internal phishing, and file modifications within Microsoft 365 services. This comprehensive detection and response methodology aims to mitigate the impact of AiTM phishing attacks that bypass traditional IP reputation checks and exploit identity management systems.
Potential Impact
For European organizations, this threat poses significant risks due to the widespread adoption of Microsoft Entra ID and Microsoft 365 services across enterprises and public sector entities. Successful AiTM phishing attacks can lead to unauthorized access to sensitive corporate data, intellectual property, and personal information protected under GDPR. The compromise of user accounts can facilitate lateral movement within networks, enabling attackers to escalate privileges, exfiltrate data, or disrupt operations. Given the reliance on cloud-based identity and collaboration platforms, such attacks can undermine business continuity and erode trust in digital services. Additionally, the use of sophisticated evasion tactics like clean IP reputations and VPN masking complicates detection efforts, increasing the likelihood of prolonged undetected breaches. The potential for internal phishing propagation further amplifies the threat, risking widespread compromise within organizations. This is especially critical for sectors handling sensitive data such as finance, healthcare, and government institutions in Europe.
Mitigation Recommendations
European organizations should implement advanced, context-aware detection mechanisms that go beyond IP reputation to identify suspicious sign-ins. This includes establishing behavioral baselines for user sign-in patterns over extended periods and alerting on deviations such as impossible travel, new device types, or unusual application access. Integration of device compliance checks and conditional access policies can reduce risk by restricting access from unmanaged or suspicious devices. Organizations should maintain an updated inventory of authorized VPN providers and block or flag access attempts from unauthorized VPN IP ranges. Regular auditing of MFA configurations and device registrations is critical to detect and remediate unauthorized changes promptly. Email security solutions should be enhanced with URL sandboxing and phishing detection capabilities, while also educating users on recognizing AiTM phishing tactics. Incident response playbooks must incorporate steps for rapid account lockdown, forensic analysis of audit and email logs, and monitoring for lateral movement and data exfiltration indicators. Finally, leveraging Microsoft Defender for Identity and Microsoft Cloud App Security can provide additional telemetry and automated response capabilities tailored to Microsoft environments.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Italy, Spain, Belgium, Ireland, Poland
Tips on detecting suspicious sign in activity from phishing attack (AiTM)! (Using Entra ID & M365 as example)
Description
Hi all, I am a cybersecurity analyst with 1 year and 6 month experience. Im writing this for fun and to teach some people who maybe interested and are at a beginner level on detecting suspicious sign in activity. In my example Im going to be using Entra ID, as this is the most common IAM solution and the one Im most familiar monitoring. First step is analyzing the alert you received in the queue. "Impossible travel time" or "Anomalous sign in activity" "sign in from bad IP" - These are the type of suspicious authentication logs that you will see in the SOC. Gather all the information: time generated (time of the sign in) app that was logged into (ex officehome, msgraph) username/email IP address device info (will normally be blank if its tuned properly, if its coming from managed trusted AD device it is a big indicator its benign so need to tune it to avoid FP for VPN usuage) locationdetails (will be crucial to see which location logged from, will determine later if its physical location or location from VPN server) user agent (crucial to detect what type of device it's coming from, potential spoofing as well) Then you can run a query like this (will differ greatly based off your SIEM querying lanaguage, Im using Kusto MS Sentinel) Signinlogs | Summarize count by timegenerated, appname ,userprincipalname, IPaddress, tostring(locationdetails), tostring(deviceinfo), useragent | where resulttype == 0 (filtering to see successful sign in attempts only) \^ use a query like this to gather all crucial details, we can then use the time range to see 24 hours and then compare past previous sign ins from last 2-3 weeks to see a baseline, for location, IP address, device info, to see if they have accessed that app before. Once you determine the sign in activity is indeed suspicious, its a combination of blank device details (non managed device), new IP address, new useragent or a suspicious useragent (potential spoofed), new app that's been used and potential impossible travel based off the last successful login). We need to analyze what type of IP address is being used, from either a VPN server or a ISP IP (will show approximate physical location of actual sign in). NEVER just focus on the IP reputation, vast majority of the true positives I caught are all coming from clean IP reputations, threat actors are smart enough to know that if their IP address has been flagged and reported numerous times, their sign in activity will be blocked. Analyze the ISP info, a threat actor MAJORITY of the time will be using an IP address from a suspicious VPN server, you can do a ISP search for that VPN name and most of the time it will be something foreign. Once you confirm the IP is coming from a suspicious entity such as a VPN server that is not authorized to be used in the company or its a VPN server with suspicious name, can confirm it's indeed malicious. From there you can quickly check Auditlogs table to see any major changes to the users account. Most threat actors will remove and change the comprised users MFA, will remove the comprised user mobile device and probably add theirs. From here, you can check the email logs and url click events on the suspicious link that was clicked for them to be comprised. Once you find that suspicious email you can plug that phishing URL into a interactive sandbox such as Browserling to confirm it. Some threat actors phishing sites are capable of detecting sandboxes and won't show their sign in page so be wary of that, but this isn't very common. After detecting all these suspicious events, you can begin to lock the users account, resetting MFA settings and starting the IR process and doing some forensics on what the threat actor did. Will have to look for: \- Potential data exfiltration attempts. Can detect this from email logs or web traffic logs. \- Potential lateral movement, the threat actor will likely send the same phishing email but this time from comprised users account to other internal users. Can detect this from email events as well. \- File modifications - the threat actor could have modified a file, deleted a file, for this can check logs such as office activity (365 events)
AI-Powered Analysis
Technical Analysis
The provided information describes a phishing attack scenario involving Account-in-the-Middle (AiTM) techniques targeting Microsoft Entra ID (formerly Azure AD) and Microsoft 365 environments. The threat centers on detecting suspicious sign-in activities that indicate potential credential compromise and unauthorized access. The analyst outlines a methodical approach to identifying such malicious activity by leveraging security alerts like "Impossible travel time," "Anomalous sign-in activity," and "Sign-in from bad IP." Key indicators include unusual login times, new or suspicious IP addresses (often VPN-based), unfamiliar user agents, and blank or missing device information, which may suggest non-managed or spoofed devices. The analyst emphasizes the importance of correlating these indicators with historical baseline sign-in data over several weeks to distinguish legitimate from malicious activity. Further investigation involves querying sign-in logs using tools like Microsoft Sentinel with Kusto Query Language to aggregate and analyze relevant fields such as username, IP address, device info, and application accessed. The approach also includes verifying whether IP addresses originate from suspicious VPN providers, as threat actors often use clean IP reputations to evade detection. Post-compromise activities are monitored through audit logs to detect changes in MFA settings, device registrations, and other account modifications. Email logs and URL click events are examined to trace phishing vectors and confirm malicious URLs, sometimes using sandbox environments. Once suspicious activity is confirmed, immediate incident response steps include locking the compromised account, resetting MFA, and conducting forensic analysis to identify data exfiltration, lateral movement via internal phishing, and file modifications within Microsoft 365 services. This comprehensive detection and response methodology aims to mitigate the impact of AiTM phishing attacks that bypass traditional IP reputation checks and exploit identity management systems.
Potential Impact
For European organizations, this threat poses significant risks due to the widespread adoption of Microsoft Entra ID and Microsoft 365 services across enterprises and public sector entities. Successful AiTM phishing attacks can lead to unauthorized access to sensitive corporate data, intellectual property, and personal information protected under GDPR. The compromise of user accounts can facilitate lateral movement within networks, enabling attackers to escalate privileges, exfiltrate data, or disrupt operations. Given the reliance on cloud-based identity and collaboration platforms, such attacks can undermine business continuity and erode trust in digital services. Additionally, the use of sophisticated evasion tactics like clean IP reputations and VPN masking complicates detection efforts, increasing the likelihood of prolonged undetected breaches. The potential for internal phishing propagation further amplifies the threat, risking widespread compromise within organizations. This is especially critical for sectors handling sensitive data such as finance, healthcare, and government institutions in Europe.
Mitigation Recommendations
European organizations should implement advanced, context-aware detection mechanisms that go beyond IP reputation to identify suspicious sign-ins. This includes establishing behavioral baselines for user sign-in patterns over extended periods and alerting on deviations such as impossible travel, new device types, or unusual application access. Integration of device compliance checks and conditional access policies can reduce risk by restricting access from unmanaged or suspicious devices. Organizations should maintain an updated inventory of authorized VPN providers and block or flag access attempts from unauthorized VPN IP ranges. Regular auditing of MFA configurations and device registrations is critical to detect and remediate unauthorized changes promptly. Email security solutions should be enhanced with URL sandboxing and phishing detection capabilities, while also educating users on recognizing AiTM phishing tactics. Incident response playbooks must incorporate steps for rapid account lockdown, forensic analysis of audit and email logs, and monitoring for lateral movement and data exfiltration indicators. Finally, leveraging Microsoft Defender for Identity and Microsoft Cloud App Security can provide additional telemetry and automated response capabilities tailored to Microsoft environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 1
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- proofpoint.com
- Newsworthiness Assessment
- {"score":53.1,"reasons":["external_link","trusted_domain","newsworthy_keywords:threat actor,indicator","non_newsworthy_keywords:beginner","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["threat actor","indicator"],"foundNonNewsworthy":["beginner"]}
- Has External Source
- true
- Trusted Domain
- true
Threat ID: 687d4780a83201eaac0438f0
Added to database: 7/20/2025, 7:46:08 PM
Last enriched: 7/20/2025, 7:46:23 PM
Last updated: 8/15/2025, 2:11:09 PM
Views: 31
Related Threats
Police Bust Crypto Money Laundering Group, Nab Smishing SMS Blaster Operator
MediumBuilding a Free Library for Phishing & Security Awareness Training — Looking for Feedback!
Low'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumTrojans Embedded in .svg Files
MediumPlex warns users to patch security vulnerability immediately
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.