T1586 – Compromise Accounts (Azure AD Detection)

by

Azure AD Alert Details

Alert ID: AAD-COMPROMISE-ACCT-7842
Alert Time: 2024-02-10 16:45:33 EST
Severity: CRITICAL (98/100)
Source: Azure AD Identity Protection
Rule: “Impossible Travel + Suspicious Inbox Rule”
MITRE ATT&CK: T1586 – Compromise Accounts

Alert Details:

Identity Protection Risk Detection:

User: jwilson@company.com (Jennifer Wilson – VP of Finance)

Risk Level: HIGH (98%)

Detection Time: 2024-02-10 16:30 EST

Risk Events:

1. Impossible Travel:

   – First Sign-in: New York, USA (10:15 EST) – Legitimate

   – Second Sign-in: Lagos, Nigeria (16:30 EST) – 6 hours later, impossible travel time

   – IP: 197.210.52[.]89 (Nigeria)

   – Device: Windows 10 (unrecognized)

   – User Agent: Chrome 121 on Windows

2. Suspicious Inbox Rule:

   – Rule Created: 16:32 EST

   – Name: “Finance Processing”

   – Action: Forward all emails with “invoice”, “payment”, “ACH” to external address

   – Destination: payments-processing@protonmail[.]com

   – Scope: Entire Inbox + Subfolders

3. Password Reset:

   – Time: 16:28 EST

   – Method: Self-service password reset

   – Authentication: SMS to user’s phone (attacker had SIM swapped?)

   – New password set from Nigeria IP

4. MFA Registration:

   – Time: 16:29 EST

   – New MFA method: Authenticator app added

   – Device: Unknown Android device

   – Country: Nigeria

Additional Context:

– User jwilson has access to financial systems

– Can approve wire transfers up to $500,000

– Part of vendor payment approval chain

– Account normally used only from US/Canada

SOC Investigation Process

StepActionTools UsedFindings
1. Alert ValidationVerify Azure AD risk detectionsAzure AD Portal, Identity ProtectionConfirmed account compromise
2. Immediate ContainmentDisable compromised accountAzure AD, Active DirectoryAccount disabled within 5 minutes
3. User ContactReach user via alternate channelPhone, Teams, In-personUser confirmed no activity from Nigeria
4. Inbox Rule RemovalRemove malicious forwarding ruleExchange Online AdminRule deleted; mailbox secured
5. Session TerminationTerminate all active sessionsAzure AD, PowerShellAll sessions revoked
6. Forensic AnalysisDetermine compromise methodAzure AD Sign-in Logs, InvestigationSIM swap attack suspected

Jira Incident Report

Ticket: SOC-2024-053
Summary: T1586 – VP of Finance Account Compromised via SIM Swap
Status: RESOLVED
Resolution: MALICIOUS – Account Takeover
Priority: P1 – CRITICAL
Labels: T1586, compromise-accounts, account-takeover, sim-swap, azure-ad, executive
Components: Identity-Management, Incident-Response

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Azure AD Identity Protection.
  • Alert: “Impossible Travel + Suspicious Inbox Rule”.
  • User: jwilson@company.com (VP of Finance).
  • Time: 2024-02-10 16:45 EST (detected), compromise began 16:28 EST.
  • Technique: MITRE ATT&CK T1586 – Compromise Accounts.

2. Technical Analysis:

  • Compromise Timeline:

16:28 – Attacker initiates password reset from Nigeria IP (197.210.52[.]89)

16:28 – SMS sent to user’s phone (SIM swap in progress)

16:28 – Attacker receives SMS, resets password

16:29 – Attacker registers new MFA method (Authenticator app)

16:30 – Attacker signs in from Nigeria (impossible travel detected)

16:31 – Attacker navigates to Outlook Web Access

16:32 – Creates forwarding rule to exfiltrate financial emails

16:33 – Begins reviewing emails for financial data

16:45 – Azure AD Identity Protection alerts

16:46 – SOC begins investigation

16:48 – Account disabled

  • Attack Method:
  • SIM Swap Attack: Attacker convinced mobile carrier to transfer user’s phone number to attacker-controlled SIM.
  • Evidence: User reported “no cell service” starting 16:15 EST.
  • Password Reset: Used SMS to receive reset code (MFA bypass).
  • Attacker Activities:
  • Accessed 47 emails (mostly financial)
  • Downloaded 3 attachments (invoices)
  • Created forwarding rule to protonmail[.]com
  • Attempted to reset vendor payment passwords (blocked by disabled account)
  • Account Privileges:
  • Financial system access
  • Wire transfer approval up to $500,000
  • Vendor payment administration
  • Access to sensitive financial documents

3. Investigation Findings:

  • Timeline:

16:15 – User reports “no cell service” (SIM swap occurring)

16:28 – Password reset initiated

16:30 – Attacker signs in from Nigeria

16:32 – Malicious forwarding rule created

16:45 – Azure AD alert triggers

16:48 – Account disabled (17 minutes after compromise)

  • Indicators of Compromise (IoCs):

Network:

– Attacker IP: 197.210.52[.]89 (Nigeria)

– Forwarding Destination: payments-processing@protonmail[.]com

Account:

– User: jwilson@company.com

– New MFA: Unknown Android device

– Password: Reset by attacker

4. Containment Actions:

  • Immediate Containment (16:45-17:00 EST):
  • Disabled user account in Azure AD and Active Directory.
  • Reset password (attacker’s password invalidated).
  • Removed attacker’s MFA registration.
  • Deleted malicious inbox forwarding rule.
  • Terminated all active sessions.
  • User Recovery (17:00-18:00 EST):
  • Contacted user via alternate channel (Teams).
  • Confirmed SIM swap with mobile carrier.
  • Worked with carrier to restore legitimate SIM.
  • Re-enabled account with new MFA (authenticator app only, no SMS).
  • Forensic Analysis (17:00-19:00 EST):
  • Reviewed accessed emails and attachments.
  • No wire transfers approved during compromise.
  • 47 emails accessed; 3 attachments downloaded.
  • Financial systems logs showed no unauthorized transactions.

5. Root Cause Analysis:

  • Primary Cause: SIM swap attack allowing password reset bypass.
  • Contributing Factors:
  1. SMS used as MFA method (vulnerable to SIM swap).
  2. Mobile carrier security weak (allowed unauthorized SIM transfer).
  3. No additional verification for password reset of privileged accounts.
  4. User targeted due to financial role.

6. Business Impact:

  • Operational Impact: VP of Finance offline for 4 hours.
  • Financial Impact: None (no unauthorized transactions).
  • Data Exposure: 47 emails accessed; 3 attachments downloaded (vendor invoices).
  • Reputational Impact: Potential if customer/vendor data exposed.

7. Remediation & Prevention:

Completed Actions:

  • checkedAccount secured and restored.
  • checkedSIM restored with carrier.
  • checkedAll affected vendors notified (as precaution).
  • checkedAccessed emails reviewed for sensitivity.

Technical Controls Enhanced:

  • checkedRemoved SMS as MFA method for all privileged accounts.
  • checkedImplemented FIDO2 security keys for executives.
  • checkedAdded Conditional Access policy requiring trusted locations for password resets.
  • checkedEnhanced monitoring for SIM swap indicators.
  • checkedImplemented admin approval workflow for password resets on privileged accounts.

8. Conclusion:

This incident involved a sophisticated SIM swap attack targeting the VP of Finance. The attacker gained access to the account for 17 minutes before detection. Rapid response prevented financial fraud, though some email data was accessed. Enhanced MFA controls will prevent similar attacks.

Closure Rationale: Account secured; no financial fraud; enhanced controls implemented.

Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 20:00 EST

Leave a Comment