Azure AD Alert Details
Alert ID: AAD-COMPROMISE-ACCT-7842
Alert Time: 2024-02-10 16:45:33 EST
Severity: CRITICAL (98/100)
Source: Azure AD Identity Protection
Rule: “Impossible Travel + Suspicious Inbox Rule”
MITRE ATT&CK: T1586 – Compromise Accounts
Alert Details:
Identity Protection Risk Detection:
User: jwilson@company.com (Jennifer Wilson – VP of Finance)
Risk Level: HIGH (98%)
Detection Time: 2024-02-10 16:30 EST
Risk Events:
1. Impossible Travel:
– First Sign-in: New York, USA (10:15 EST) – Legitimate
– Second Sign-in: Lagos, Nigeria (16:30 EST) – 6 hours later, impossible travel time
– IP: 197.210.52[.]89 (Nigeria)
– Device: Windows 10 (unrecognized)
– User Agent: Chrome 121 on Windows
2. Suspicious Inbox Rule:
– Rule Created: 16:32 EST
– Name: “Finance Processing”
– Action: Forward all emails with “invoice”, “payment”, “ACH” to external address
– Destination: payments-processing@protonmail[.]com
– Scope: Entire Inbox + Subfolders
3. Password Reset:
– Time: 16:28 EST
– Method: Self-service password reset
– Authentication: SMS to user’s phone (attacker had SIM swapped?)
– New password set from Nigeria IP
4. MFA Registration:
– Time: 16:29 EST
– New MFA method: Authenticator app added
– Device: Unknown Android device
– Country: Nigeria
Additional Context:
– User jwilson has access to financial systems
– Can approve wire transfers up to $500,000
– Part of vendor payment approval chain
– Account normally used only from US/Canada
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD risk detections
Azure AD Portal, Identity Protection
Confirmed account compromise
2. Immediate Containment
Disable compromised account
Azure AD, Active Directory
Account disabled within 5 minutes
3. User Contact
Reach user via alternate channel
Phone, Teams, In-person
User confirmed no activity from Nigeria
4. Inbox Rule Removal
Remove malicious forwarding rule
Exchange Online Admin
Rule deleted; mailbox secured
5. Session Termination
Terminate all active sessions
Azure AD, PowerShell
All sessions revoked
6. Forensic Analysis
Determine compromise method
Azure AD Sign-in Logs, Investigation
SIM swap attack suspected
Jira Incident Report
Ticket: SOC-2024-053
Summary: T1586 – VP of Finance Account Compromised via SIM Swap
Status: RESOLVED
Resolution: MALICIOUS – Account Takeover
Priority: P1 – CRITICAL
Labels: T1586, compromise-accounts, account-takeover, sim-swap, azure-ad, executive
Components: Identity-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection.
Alert: “Impossible Travel + Suspicious Inbox Rule”.
User: jwilson@company.com (VP of Finance).
Time: 2024-02-10 16:45 EST (detected), compromise began 16:28 EST.
Technique: MITRE ATT&CK T1586 – Compromise Accounts.
2. Technical Analysis:
Compromise Timeline:
16:28 – Attacker initiates password reset from Nigeria IP (197.210.52[.]89)
16:28 – SMS sent to user’s phone (SIM swap in progress)
16:28 – Attacker receives SMS, resets password
16:29 – Attacker registers new MFA method (Authenticator app)
16:30 – Attacker signs in from Nigeria (impossible travel detected)
16:31 – Attacker navigates to Outlook Web Access
16:32 – Creates forwarding rule to exfiltrate financial emails
16:33 – Begins reviewing emails for financial data
16:45 – Azure AD Identity Protection alerts
16:46 – SOC begins investigation
16:48 – Account disabled
Attack Method:
SIM Swap Attack: Attacker convinced mobile carrier to transfer user’s phone number to attacker-controlled SIM.
Evidence: User reported “no cell service” starting 16:15 EST.
Password Reset: Used SMS to receive reset code (MFA bypass).
Attacker Activities:
Accessed 47 emails (mostly financial)
Downloaded 3 attachments (invoices)
Created forwarding rule to protonmail[.]com
Attempted to reset vendor payment passwords (blocked by disabled account)
Account Privileges:
Financial system access
Wire transfer approval up to $500,000
Vendor payment administration
Access to sensitive financial documents
3. Investigation Findings:
Timeline:
16:15 – User reports “no cell service” (SIM swap occurring)
16:28 – Password reset initiated
16:30 – Attacker signs in from Nigeria
16:32 – Malicious forwarding rule created
16:45 – Azure AD alert triggers
16:48 – Account disabled (17 minutes after compromise)
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 197.210.52[.]89 (Nigeria)
– Forwarding Destination: payments-processing@protonmail[.]com
Account:
– User: jwilson@company.com
– New MFA: Unknown Android device
– Password: Reset by attacker
4. Containment Actions:
Immediate Containment (16:45-17:00 EST):
Disabled user account in Azure AD and Active Directory.
Reset password (attacker’s password invalidated).
Removed attacker’s MFA registration.
Deleted malicious inbox forwarding rule.
Terminated all active sessions.
User Recovery (17:00-18:00 EST):
Contacted user via alternate channel (Teams).
Confirmed SIM swap with mobile carrier.
Worked with carrier to restore legitimate SIM.
Re-enabled account with new MFA (authenticator app only, no SMS).
Forensic Analysis (17:00-19:00 EST):
Reviewed accessed emails and attachments.
No wire transfers approved during compromise.
47 emails accessed; 3 attachments downloaded.
Financial systems logs showed no unauthorized transactions.
5. Root Cause Analysis:
Primary Cause: SIM swap attack allowing password reset bypass.
Contributing Factors:
SMS used as MFA method (vulnerable to SIM swap).
Mobile carrier security weak (allowed unauthorized SIM transfer).
No additional verification for password reset of privileged accounts.
User targeted due to financial role.
6. Business Impact:
Operational Impact: VP of Finance offline for 4 hours.
Financial Impact: None (no unauthorized transactions).
Data Exposure: 47 emails accessed; 3 attachments downloaded (vendor invoices).
Reputational Impact: Potential if customer/vendor data exposed.
7. Remediation & Prevention:
Completed Actions:
Account secured and restored.
SIM restored with carrier.
All affected vendors notified (as precaution).
Accessed emails reviewed for sensitivity.
Technical Controls Enhanced:
Removed SMS as MFA method for all privileged accounts.
Implemented FIDO2 security keys for executives.
Added Conditional Access policy requiring trusted locations for password resets.
Enhanced monitoring for SIM swap indicators.
Implemented admin approval workflow for password resets on privileged accounts.
8. Conclusion:
This incident involved a sophisticated SIM swap attack targeting the VP of Finance. The attacker gained access to the account for 17 minutes before detection. Rapid response prevented financial fraud, though some email data was accessed. Enhanced MFA controls will prevent similar attacks.
Closure Rationale: Account secured; no financial fraud; enhanced controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 20:00 EST