Triggers
- A successful login has occurred to an account with many characteristics that are both unusual for the account and highly correlated with account compromise.
Possible Root Causes
- An adversary has stolen a valid account and is using it as part of an attack.
- A user has shifted multiple aspects of their normal sign-on behavior which match multiple behaviors associated with malicious account takeovers.
Business Impact
- Adversaries frequently bypass security controls through the malicious, unauthorized use of valid credentials.
- The compromise of a valid account may lead to the loss of confidentiality and integrity of any data and services that the account may access, and it may be used in service of additional lateral movement or attacks against other internal users.
Steps to Verify
- Investigate irregularities associated with these login events for indications of compromise.
- Validate the login activities have been performed in accordance with organizational MFA policies, enforcing re-login with MFA if required.