Triggers
- Abnormal Azure AD operations that may be associated with privilege escalation or account takeover.
Possible Root Causes
- Attackers may be escalating privileges and performing admin-level operations after regular account takeover.
- A user whose learned activity baseline has been lost as a result of a prolonged leave of absence or a change in job function has returned to their regular job.
- A user’s role may have evolved as part of a special project or assignment and the user is performing Azure AD activities previously outside of their learned baseline.
Business Impact
- Users substantially deviating from their learned baseline in ways that correspond to threats associated with privilege escalation or account takeover often indicate an adversary foothold.
- Account takeover and privilege escalation can lead to sensitive information leakage, ransomware attacks, and other abuses.
Steps to Verify
- Investigate both the target and result of these operations to understand the potential impact.