Microsoft Entra ID • Impossible Travel • Identity Investigation

The Impossible Travel Alert Was Wrong

An impossible travel alert usually gets attention.

A user appeared to sign in from Melbourne and then Singapore only minutes later.

The alert looked genuine.

The risk score increased.

The investigation suggested compromise.

The telemetry suggested something else entirely.

Discuss your environment Back to briefings

Agent Foskett investigation into an Impossible Travel alert caused by a VPN location anomaly

Briefing summary

An Impossible Travel alert suggested a user had authenticated from two countries within twelve minutes. Agent Foskett investigated the sign-ins, compared device information, analysed IP addresses and reconstructed the session timeline. The result revealed a VPN location change rather than account compromise.

Same device observed

VPN exit node changed location

Risk alert investigated successfully

What happened

The alert appeared to show an impossible journey.

The first sign-in was local The user signed in from Melbourne, Australia during normal business activity. Nothing about the first event looked suspicious on its own.

The second sign-in changed country Twelve minutes later the same account appeared to authenticate from Singapore. That location change could not be explained by travel.

The alert made sense Microsoft flagged the activity as Impossible Travel because two sign-ins appeared too far apart and too close together to be normal movement.

The query that started the investigation

The alert was only the beginning. The investigation needed identity, device, IP and timeline context.

IdentityLogonEvents
| where AccountUpn == "user@company.com"
| project Timestamp, IPAddress, Country,
          DeviceName, RiskLevel, Application
| order by Timestamp asc

Location was only one signal The country changed, but the investigation needed to compare device, application, IP ownership and sign-in sequence before reaching a conclusion.

The timeline mattered Two sign-ins separated by minutes can indicate compromise, token reuse, VPN movement or a normal user reconnecting through different infrastructure.

The alert needed validation Impossible Travel should be treated seriously, but it should not be treated as proof until supporting evidence has been reviewed.

The device told a different story

The locations changed. The device did not.

The same endpoint appeared The sign-ins showed the same managed device details. That did not rule out compromise, but it changed the shape of the investigation.

The browser matched The operating system and browser characteristics remained consistent. The activity looked more like session continuity than a new attacker device.

The user pattern held The applications accessed, timing and device telemetry aligned with normal user behaviour. The location was strange, but the user story was consistent.

What it was not It was not evidence of a user physically travelling from Melbourne to Singapore in twelve minutes.

What it might have been It could have been stolen credentials, a stolen session token, a proxy, a VPN exit node, or legitimate remote access behaviour.

Why the device mattered The device did not prove innocence, but it gave the investigation a stronger lead than location alone.

The network explained everything

The user never moved. Their traffic did.

The first IP was local The first sign-in came from the user's normal Australian internet connection. That matched the user's expected location and work pattern.

The VPN reconnected A brief network interruption caused the VPN tunnel to re-establish. The next session exited through infrastructure in another country.

The second IP was Singapore Microsoft saw the sign-in from Singapore because that was the apparent exit point. The user was still sitting in Australia.

Agent Foskett moment

The alert was not useless. It was a lead that needed context.

Alerts start investigations The Impossible Travel alert correctly identified unusual behaviour. It gave the defender a reason to look closer.

Telemetry finishes them The investigation used device, network and timeline evidence to determine the activity was legitimate.

Assumptions are dangerous Compromise was possible, but not proven. The better question was what the full sign-in story showed.

What most environments miss

Impossible Travel does not always mean impossible behaviour. Sometimes it means incomplete context.

VPNs can trigger travel alerts Corporate VPNs, cloud proxies and secure web gateways can make one user appear in multiple countries without the user moving anywhere.

Mobile networks can be noisy Mobile carriers and roaming services can shift apparent geography. Location data is useful, but it is not the whole investigation.

Risk does not equal compromise Risk signals identify activity that deserves review. They do not remove the need for human investigation and evidence-based decisions.

How defenders can investigate it

Treat Impossible Travel as important, but validate it using more than the map.

Compare device details Check whether the sign-ins used the same managed endpoint, browser, operating system, device identity and compliance posture.

Review IP intelligence Identify VPN providers, cloud hosting ranges, proxy services, secure web gateways and normal corporate egress points.

Rebuild the timeline Place sign-ins, MFA events, Conditional Access results, application activity and device telemetry in order before deciding whether the account is compromised.

Related investigations

The Login Was Successful But The Risk Was High Successful authentication does not always mean trusted authentication when risk, device and session context tell a different story. Read more →

The Login Came Through A Trusted Device A trusted device can reduce suspicion, but it should never stop an investigation when the surrounding behaviour is unusual. Read more →

The User Passed MFA But It Wasn't Really Them MFA success is important, but defenders still need to understand who controlled the session after authentication completed. Read more →

The Session Token Never Expired Some identity investigations are not about passwords at all. They are about session behaviour after access has already been granted. Read more →

The MFA Method Was Added At 3:14AM Authentication methods can become evidence when account changes occur at unusual times or outside normal user behaviour. Read more →

Investigating IdentityLogonEvents Learn how Defender XDR identity telemetry helps investigate sign-ins, authentication patterns and user activity. Read more →

Final thought

The Impossible Travel alert was real. The account compromise was not.

At GEMXIT We help organisations investigate Microsoft Entra ID sign-in risk, Impossible Travel alerts, Conditional Access behaviour, Microsoft Defender XDR telemetry and identity compromise risk across Microsoft 365 environments. If you want to understand how this applies to your environment, see our Identity and Access security services.

Agent Foskett mindset Do not only ask whether the alert fired. Ask what the device, IP address, user behaviour, MFA history and timeline say when reviewed together.

The alert suggested a user had travelled from Melbourne to Singapore in twelve minutes. The device, timeline and network evidence revealed a VPN exit node instead. Explore related investigations including The Login Was Successful But The Risk Was High, The User Passed MFA But It Wasn't Really Them, and Investigating IdentityLogonEvents.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD