Account Takeover Attempt Blocked: Multi-Country Attack with SSPR Abuse

Initial Signal

On March 23, 2026, Microsoft Entra ID flagged user_1@[INTERNAL_DOMAIN_1].com, a Customer Experience Agent based in Honduras, as high-risk after detecting a coordinated account takeover campaign. The alert mapped to T1078 (Valid Accounts) and T1556 (Modify Authentication Process) attack patterns. Between March 22-23, the account exhibited geographically impossible sign-in attempts from Bangladesh (via a VPN with score 99), Malaysia, Spain, Philippines, and Mexico—all within 21 hours. The attacker successfully authenticated using SMS-based MFA to unlock the account twice from Honduras ISP IPs (186.2.128.x), then attempted to reset the password four times using weak passwords that violated the organization's complexity policy. All five high-risk sign-in attempts to Azure Portal and My Signins (MFA management portal) were blocked by Conditional Access policies with error codes 53003 and 53004. The investigation correlated 82 sign-in records, 44 directory audit events, and IPData enrichment across four data sources in 4m 27s, revealing a sustained attack that was contained by policy enforcement but exposed a critical gap: the attacker's ability to pass MFA verification during self-service account recovery.

The Questions We Asked

What follows is the path the agent walked to reach its verdict. Pivots and dead ends both made the cut. Routine steps that just ruled out the obvious are grouped together so you can skim past them.

Key Pivots

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Verdict Reasoning

The verdict of True Positive - Blocked at high confidence rests on the following mutually corroborating signals:

1. Five distinct risky sign-in attempts from geographically impossible locations (Bangladesh, Malaysia, Spain, Philippines, Mexico) all flagged as 'atRisk' by Microsoft Entra Identity Protection's ML models and blocked by Conditional Access policies with definitive error codes (53003, 53004)

2. Two successful self-service account unlocks from Honduras ISP IPs recorded in directory audit logs, proving the attacker passed MFA verification using the user's registered SMS method

3. Four failed password reset attempts from Honduras IP [EXTERNAL_IP_6] with error codes indicating password policy violations (OnPremisesPolicyViolation, FuzzyPolicyViolation), confirming the attacker could not change the password

4. IPData enrichment confirming the Bangladesh IP is a VPN (score 99) and the Honduras IPs are standard residential ISPs (proxy_score=0, vpn_score=0), ruling out organizational proxy false positives

5. No 'Correct password' authentication step recorded in any risky sign-in attempt, confirming the attacker does not have the correct password and relied on SMS-based MFA. Confidence is High rather than Confirmed because the Honduras SSPR activity could theoretically include some legitimate user behavior (the user is based in Honduras), though the pattern of rapid unlocks followed by password spray attempts is clearly adversarial

Lessons

1. 01
   MFA bypass during account recovery is a critical gap. In this investigation, the attacker successfully passed SMS-based MFA verification twice to unlock the account via self-service password reset, even though all subsequent sign-in attempts from foreign IPs were blocked. This reveals that SSPR MFA validation may be weaker than sign-in MFA validation or that the attacker had access to the user's phone number. Implement step-up authentication for SSPR operations targeting privileged accounts, require additional verification (security questions, email confirmation) before account unlock, and monitor SSPR activity as aggressively as sign-in activity.
2. 02
   A high block-rate is not containment. All five risky sign-in attempts were blocked by Conditional Access policies, which looked like a complete win. However, the attacker's two successful account unlocks via SSPR proved they had already compromised the account and could manipulate identity recovery mechanisms. Always audit what did NOT get blocked—the account unlocks, the password reset attempts, the directory changes—not just the sign-in blocks. The blocked count is the distractor.
3. 03
   Geographically impossible travel is a reliable pivot. This investigation identified the attack within 21 hours because five distinct countries appeared in the sign-in logs within a single day. Honduras to Bangladesh to Malaysia to Spain to Philippines to Mexico is impossible for a human to travel. Implement automated alerting on geographic impossibility (e.g., sign-in from Country A, then Country B more than 1,000 km away within 2 hours). This pattern alone should trigger immediate account lockdown and MFA re-enrollment, regardless of whether individual sign-ins were blocked.
4. 04
   VPN scores above 90 are not false positives. The Bangladesh IP had a VPN score of 99 from IPData, indicating near-certain VPN usage. A Honduras-based customer service agent has no legitimate reason to access Azure Portal through a Bangladesh VPN. Use VPN detection scores as a hard signal for administrative resource access; do not treat high VPN scores as noise. Pair VPN detection with resource type (Azure Portal, MFA management) to reduce false positives while catching real threats.
5. 05
   Password policy enforcement saved this account. The attacker failed all four password reset attempts because they could not meet the organization's password complexity requirements. They tried weak passwords that violated policy, and the system rejected them. This is one of the few controls that worked end-to-end. Maintain strict password policies, enforce them consistently across all SSPR and admin reset flows, and monitor for repeated failed password changes as a sign of active attack.