This alert indicates a high-risk sign-in attempt from a known Tor exit node targeting a non-privileged, domain-joined user. The activity aligns with reconnaissance or credential stuffing tactics, especially given the IP's reputation and threat intelligence context.
**Immediate actions** should focus on blocking the IP, investigating recent sign-in activity, resetting affected accounts if necessary, and enhancing detection rules to prevent similar future attempts.
KUSTO queries:
**Alert Type:** Suspicious Sign-in Attempt from Anonymized IP (Potential Tor Exit Node)
**User:** User ID 6ea7a724-3114-4022-86ec-e3a1badc8933 (Domain-joined, non-privileged)
**Tenant:** 5e8068dd-5753-458c-9e22-ec1ef680efb7 (QA contractor)
**IP Address:** 103.251.167.20
**Geo Location:** Unknown
**Threat Intelligence:** The IP matches entries in the Tor exit node list (https://aisoc.egnite.cloud/torexits.txt).
### **Analysis & Context**
1. **Multiple Sign-ins from the Same IP:**
- Preliminary checks indicate this IP has attempted sign-ins to multiple users within a short timeframe, suggesting possible scanning or brute-force activity.
2. **User Profile & Targeting:**
- The user is a non-privileged QA contractor, not typically targeted for high-value access.
- No prior alerts or unusual activity associated with this user, but the domain-joined status indicates potential internal access attempts.
3. **IP Reputation & Threat Intelligence:**
- The IP is listed as a Tor exit node, which is commonly used to anonymize malicious activity.
- Threat intelligence report (https://aisoc.egnite.cloud/tir/MultiRAT_Threat_Intelligence_Report.pdf) indicates this IP is associated with multiple RAT (Remote Access Trojan) campaigns, botnets, and brute-force attacks.
4. **Behavioral Indicators:**
- No MFA was recorded during this sign-in attempt, increasing risk.
- The pattern resembles password spray tactics—broad, low-frequency attempts across multiple accounts, often from anonymized sources.
5. **Additional Checks:**
- No signs of successful sign-in or MFA bypass, but the attempt's nature warrants immediate attention.
- The sign-in is suspicious given the IP's reputation and the context.
**Immediate:**
- Block or restrict sign-ins from the IP 103.251.167.20 at the network perimeter or via Conditional Access policies.
- Initiate an account lockout or password reset for the affected user.
- Conduct a targeted investigation on recent sign-in logs for this user and similar IPs.
- Review related sign-in attempts for patterns indicative of credential stuffing or brute-force.
**Further Investigation:**
- Cross-reference with OfficeActivity logs for any unusual Office 365 operations.
- Check SigninLogs for other suspicious activity, such as unusual locations, times, or device types.
- For Office 365 operations, review OfficeActivity logs for rare or administrative operations.
KUSTO queries:
// Query for multiple sign-ins from the IP within last 24 hours
SigninLogs
| where IPAddress == "103.251.167.20"
| where TimeGenerated > ago(24h)
| summarize Count = count() by UserPrincipalName, ResultType, Location, DeviceDetail
// Query for sign-ins from this user across multiple IPs
SigninLogs
| where UserId == "6ea7a724-3114-4022-86ec-e3a1badc8933"
| summarize SignInCount = count(), UniqueIPs = dcount(IPAddress) by bin(TimeGenerated, 1h)