Small Alert, Big Defense: The SonicSentry SOC in Action First Thing in the Morning

Fast action on what seems like a small alert can save the day.

Picture it: it’s 9 a.m. on a Monday morning. Everyone is logging in to start their day, and what are you doing? Logging in yourself, building your battle plan, maybe on your second cup of coffee? You’re probably not sitting at your desk watching Microsoft 365 logins across your company or tenants, analyzing each one to make sure it’s legit.

We’ve written a lot about The 3 AM Problem over the course of the last several weeks, showing that attackers actively seek out times when we aren’t paying attention to carry out their dirty deeds. Weekends, holidays, and the middle of the night are the obvious choices, but they aren’t the only ones. Times when attackers know their attempts might get lost in the shuffle are popular too—times like first thing on a Monday morning, when an additional login might look like all the rest. Here’s a recent example from the SonicSentry SOC.

Conditional Access: Critical for Prevention, But Response is Crucial

Our story begins with a failed login attempt based on a conditional access failure. Conditional access rules set parameters for acceptable behavior, and block access attempts outside of those parameters; for example, you might block logins from countries where you don’t conduct business, or logins on weekends or during other non-business hours. 

However, while a conditional access failure does not mean the attacker got access in that specific moment, it almost always means the affected account has been compromised. In order to trigger the conditional access rules, the login attempt would have successfully gotten through both the password and multi-factor authentication (MFA)—the conditional access rule is the failsafe. Often, attackers will keep trying, changing certain variables, like using a VPN to change the country it appears they’re logging in from. Think of it like a burglar finding your key ring: if they know they’re at the right house, they’ll try every key they have until one works. 

In our example, the SonicSentry SOC caught this conditional access failure early on a Monday morning, right around the time most people are signing on to start their day. The company affected was based in the United Kingdom, and the login attempt was coming from Germany. The SOC alerted our partner of the activity, who was then able to connect with the end user to confirm the attempt did not come from them. The partner was then able to reset the account (both password and MFA) before any malicious activity could occur.

When Minutes Matter

Had the SonicSentry SOC not been monitoring for this partner, there’s a strong likelihood that the conditional access failure would have gone unnoticed. While these can be seen in the logs for Microsoft 365, they are not something that is regularly alerted on. This means the partner would have had to be looking at the logs at the time of the access attempt to catch it, and even then, because of the time of day, it would have been like trying to spot a needle in a haystack alongside other morning login activity. But missing this alert and not locking down the account would have invited other chaos, as the credentials for the account were still compromised. It would have only been a matter of time for the hacker to successfully gain access. From there, they could potentially steal important data or live off the land to get deeper into the environment and cause other harm. The quick response of the SOC is what saved the day.

Another benefit to the SOC’s response was the opportunity for end-user education. When our partner spoke to the affected end user, they learned that this conditional access failure came only moments after that user had logged in. Because of that, when the user got a second MFA prompt on their phone, they simply accepted it and moved on. The partner was able to educate the user on not authorizing MFA requests that were not immediately at the time they were attempting to log in. 

When people ask us for examples of how SonicSentry saves the day, sometimes they’re thinking of flashy stories where our expert threat hunters decode PowerShell, stop ransomware in its tracks, or pull entire networks offline to prevent an attack from spreading. While all those things have their place, sometimes the small alerts are what matter. It’s catching small details like a conditional access failure that can truly stop an attack from happening in the first place—and that’s why 24/7 SOC monitoring across your entire environment is so important.

Want to learn more about why timing is everything in cybersecurity response? Check out The 3 AM Problem webinar series!