The Attacker Logged In After MFA
The sign-in looked clean.
The password was correct.
MFA was satisfied.
Conditional Access did not block the session.
But the attacker did not appear before MFA.
They appeared afterwards.
Briefing summary
A user completed MFA successfully, but later activity came from a location, device and session pattern that did not fit the user. Agent Foskett investigated whether this was a normal sign-in, token theft, session hijacking or attacker activity after authentication had already succeeded.
What happened
The query that changed the investigation
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
IdentityLogonEvents | where Timestamp > ago(7d) | where ActionType has "LogonSuccess" | project Timestamp, AccountUpn, IPAddress, DeviceName, Application, LogonType, CountryCode, RiskLevel, FailureReason | order by Timestamp desc
Hunting for post-MFA activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
CloudAppEvents | where Timestamp > ago(7d) | where AccountUpn == "user@contoso.com" | project Timestamp, AccountUpn, Application, ActionType, IPAddress, DeviceType, UserAgent, ObjectName, ActivityType | order by Timestamp asc
Agent Foskett moment
What most environments miss
How defenders can investigate it
Related investigations
Final thought
The login passed MFA, but the activity afterwards did not fit the user. Explore related investigations including The User Passed MFA But It Wasn't Really Them, The Session Token Never Expired, and The Login Was Successful But The Risk Was High.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD