Command Zero
Narration by Agent Zero
Mediumrun-34e49d78-9473-4d7e-a0ac-4927caa8a777
Credential Compromise
High confidence
  • credential-compromise
  • account-access
  • conditional-access
  • hosting-provider
  • ropc-protocol

Credential Compromise Detected: Valid Credentials Used from Luxembourg Hosting Provider but Blocked by Conditional Access

Valid credentials for a Philippines-based user were used in an authentication attempt from a Luxembourg hosting provider IP on February 25, 2026. Conditional Access policies blocked the attempt, preventing account access.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
3m 8s
INVESTIGATION TIME
Autonomous
3
QUESTIONS ASKED
MICROSOFT ENTRA
2
RECORDS ANALYZED
Across all data sources
~1 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$78
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On February 25, 2026, Microsoft Entra ID detected a failed authentication attempt for user_1@[INTERNAL_DOMAIN_1].com, a Philippines-based [ROLE_1] in [ORG_1]. The attempt originated from IP address [EXTERNAL_IP_1] in Luxembourg, registered to FranTech Solutions, a hosting provider. The alert mapped to MITRE technique T1078 (Valid Accounts), a credential-based attack vector. What made this signal stand out: the authentication used valid credentials (Password Hash Sync confirmed the password was correct), yet came from an impossible location for the user's profile. The attacker used ROPC (Resource Owner Password Credentials) protocol with a node-fetch user agent—a programmatic access pattern, not a browser login. The device was unmanaged and non-compliant. Microsoft Entra ID's risk engine flagged the attempt as high-risk and Conditional Access policies blocked token issuance. The investigation correlated Microsoft Entra ID sign-in logs and user resource data across 3 invocations in 3 minutes 8 seconds, revealing no successful logins from the suspicious IP and confirming the user lacks MFA protection.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be an account compromise?

Ruled out
Supporting Evidence
Failed sign-in attempt from Luxembourg using valid credentials
Moderate
Supporting Evidence
Authentication was blocked by Conditional Access policies
Moderate
Supporting Evidence
No successful sign-ins from the suspicious IP address
Moderate
Dismissed:While there was a failed authentication attempt from an unusual location (Luxembourg) using valid credentials, there is no evidence of successful access to the account. The authentication was blocked by Conditional Access policies, preventing actual account compromise.·High confidence
H2

Could this be normal activity?

Ruled out
Supporting Evidence
Authentication from Luxembourg while user is based in Philippines
Moderate
Supporting Evidence
Use of ROPC protocol which bypasses modern authentication flows
Moderate
Supporting Evidence
Unmanaged, non-compliant device used for authentication
Moderate
Dismissed:The authentication attempt from Luxembourg using ROPC protocol from an unmanaged device is not consistent with normal activity patterns for this user. The user is based in the Philippines ([SITE_1]) according to their profile, and there is no evidence of authorized travel to Luxembourg. The high risk assessment during sign-in further contradicts a normal activity classification.·High confidence
H3

Could this be a false positive?

Ruled out
Supporting Evidence
Authentication attempt used valid credentials (password validated)
Moderate
Supporting Evidence
Conditional Access policies correctly identified and blocked the suspicious attempt
Moderate
Supporting Evidence
Authentication protocol (ROPC) and location (Luxembourg) represent genuine security concerns
Moderate
Dismissed:This is not a false positive alert. The authentication attempt was genuine, used valid credentials, and was correctly blocked by Conditional Access policies as designed. The risk assessment of 'high' during sign-in is appropriate given the unusual location and authentication method.·High confidence
H4

Could this be a policy violation?

Ruled out
Supporting Evidence
IP address belongs to FranTech Solutions hosting provider in Luxembourg
Moderate
Supporting Evidence
User is based in Philippines with no evidence of travel to Luxembourg
Moderate
Supporting Evidence
Use of ROPC protocol which bypasses modern authentication flows
Moderate
Dismissed:While there was a violation of security policies (attempting to authenticate from an unmanaged device in an unusual location), the evidence suggests this was an unauthorized access attempt rather than a legitimate user violating policy. The IP address belongs to a hosting provider (FranTech Solutions) in Luxembourg, which is inconsistent with the user's Philippines-based role, and there's no evidence of business travel or legitimate need to access from this location.·High confidence

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

authentication log
Failed sign-in attempt from IPv6 address [EXTERNAL_IP_1] (Luxembourg) on 2026-02-25T11:31:55Z using valid credentials for user_1@[INTERNAL_DOMAIN_1].com
Microsoft Entra ID Sign-in Logs
authentication method
Authentication method detail shows 'Password Hash Sync' was used and validated the credentials, but the overall authentication was blocked by Conditional Access policies
Microsoft Entra ID Sign-in Logs
authentication protocol
Authentication protocol used was ROPC (Resource Owner Password Credentials), which bypasses modern interactive authentication flows
Microsoft Entra ID Sign-in Logs
user agent
User agent string 'node-fetch' indicates programmatic access rather than traditional browser-based interaction
Microsoft Entra ID Sign-in Logs
risk assessment
Risk level during sign-in was assessed as 'high' by Microsoft Entra ID
Microsoft Entra ID Sign-in Logs
device compliance
Device used for authentication was neither compliant nor managed (deviceIsCompliant: false, deviceIsManaged: false)
Microsoft Entra ID Sign-in Logs
IP intelligence
IP address [EXTERNAL_IP_1] belongs to FranTech Solutions, a hosting provider, indicating potential use of cloud infrastructure for the access attempt
IPData Enrichment
user profile
User user_1 is based in [SITE_1], Philippines as a [ROLE_1] in [ORG_1] department
Microsoft Entra ID User Data
authentication configuration
User is not MFA registered (isMfaRegistered: false) and not MFA capable (isMfaCapable: false)
Microsoft Entra ID User Data
authentication log
No successful sign-in activity was recorded from the suspicious IP address during the investigation timeframe
Microsoft Entra ID Sign-in Logs

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified the authentication attempt used valid credentials
    Pass
  2. fp2
    Analyzed location and access method for legitimacy
    Pass
  3. fp3
    Evaluated for potential business travel scenario
    Pass
  4. fp4
    Checked for potential legitimate automation or scripting
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Failed Sign-In from Unusual LocationUnmanaged Device AuthenticationProgrammatic Access Pattern
TechniqueTacticContext
T1078
Valid Accounts
Initial AccessFlag failed authentication attempts from IP addresses in countries or regions where the user has no business presence, especially from hosting provider IP ranges. Alert on ROPC protocol usage with non-browser user agents (node-fetch, curl, wget) combined with unmanaged or non-compliant devices. Threshold: any single ROPC attempt from an out-of-region IP should trigger investigation if the user lacks MFA.
T1078.004
Cloud Accounts
Initial AccessMonitor authentication attempts from devices where deviceIsManaged=false and deviceIsCompliant=false, especially when combined with unusual geographic location or non-interactive authentication protocols. Correlate with user's baseline device inventory to identify unauthorized device usage. Alert on any successful authentication from an unmanaged device for users without MFA.
T1078
Valid Accounts
Initial AccessDetect ROPC (Resource Owner Password Credentials) protocol usage combined with non-browser user agents (node-fetch, curl, Python requests, etc.). ROPC is legitimate for service accounts and automation, but suspicious for interactive user accounts. Flag ROPC attempts from hosting provider IPs or residential proxies. Require MFA or IP allowlisting for ROPC flows.

Verdict Reasoning

The verdict of Credential Compromise at high confidence rests on the following mutually corroborating signals:

1. Password Hash Sync validation confirms the attacker possessed the correct password for user_1@[INTERNAL_DOMAIN_1].com, proving credential compromise occurred

2. The authentication attempt from FranTech Solutions (a hosting provider in Luxembourg) contradicts the user's Philippines-based profile with no evidence of authorized travel, indicating unauthorized use

3. ROPC protocol and node-fetch user agent demonstrate programmatic access rather than legitimate user behavior, consistent with credential-stuffing or brute-force automation

4. Microsoft Entra ID's high-risk assessment and Conditional Access block confirm the attempt was correctly identified as suspicious by security controls

5. The user's lack of MFA registration and capability made the account vulnerable to credential-based attacks once the password was compromised. Confidence is High rather than Confirmed because the investigation did not recover forensic evidence of how the credentials were initially compromised (e.g., phishing, malware, data breach source), only that they were used maliciously

Lessons

  1. 01
    Blocked attempts reveal compromise, not containment. This investigation shows a credential compromise where the attacker had the correct password but was stopped by Conditional Access. The block is a win for detection, but the real finding is that credentials were already in an attacker's hands. The organization should assume the password is compromised and force a reset immediately, then audit all successful logins from this user's account in the preceding weeks to identify when the compromise occurred and what else the attacker accessed.
  2. 02
    MFA absence turns credential compromise into account compromise. User_1 lacks MFA registration and capability. If Conditional Access had not blocked this attempt, the attacker would have obtained a valid token and gained full account access. The hosting provider IP and ROPC protocol would have bypassed interactive MFA prompts anyway. Mandate MFA for all users, especially those in leadership roles ([ROLE_1]) with access to sensitive systems.
  3. 03
    Hosting provider IPs are a credential-attack signature. FranTech Solutions is a hosting provider; legitimate business access does not originate from hosting infrastructure. When you see authentication from AWS, Azure, DigitalOcean, Linode, or similar providers, treat it as a credential-attack indicator unless the user is explicitly authorized to access from that IP (e.g., a remote worker using a VPN hosted on that provider). Build a blocklist or high-confidence alert rule for hosting provider IP ranges.
  4. 04
    ROPC + non-browser user agent = programmatic attack. ROPC (Resource Owner Password Credentials) is a legacy OAuth flow designed for first-party applications. When combined with user agents like node-fetch, curl, or Python requests, it signals automated credential usage. Interactive users should authenticate via browser-based flows (Authorization Code) that support MFA. Restrict ROPC to service accounts and require IP allowlisting for any ROPC usage.
  5. 05
    Geographic impossibility is a strong signal. User_1 is based in the Philippines ([SITE_1]) with no evidence of travel to Luxembourg. A failed login from Luxembourg is not just unusual—it is impossible without credential compromise or account takeover. Implement geographic anomaly detection that flags logins from countries where the user has never authenticated before, especially when combined with other risk factors (unmanaged device, non-standard protocol, hosting provider IP).