Anomaly detection is an effective way to identify suspicious behavior in an environment that could indicate a cyberattack. By scanning user activity, anomaly detection tools identify outliers that deviate from normal patterns.
Impossible travel activity is an anomaly detection that can help prevent cyberattacks such as account compromise and ransomware in Microsoft 365 (formerly Office 365).
Here’s how impossible travel alerts work in Microsoft 365.
What Is Impossible Travel Activity?
Impossible travel detections track information such as GPS address, IP address, or user’s device to pinpoint users’ location and determine whether a behavior was physically possible. If not, it could indicate that an adversary is attempting to infiltrate an environment.
For example, if a user logs into Microsoft 365 to check email in New York and then downloads a OneDrive file in Poland an hour later, that would be considered impossible travel; it’s physically impossible to get from New York to Poland in that span of time.
Why You Should Detect Impossible Travel
Remote work is here to stay for many organizations; over half (52%) of global employees work remotely at least once a week, according to Owl Labs. Remote work inherently increases the volume of available data, which expands an organization’s attack surface and decreases visibility. A distributed — and often cloud-based — workforce makes it more challenging for IT and security professionals to understand where their end users are working from and create policies around that.
As opportunistic attackers take advantage of those security gaps, an impossible travel detection provides context around users’ different locations and identifies evidence of malicious activity.
Impossible travel activity can be an early sign of cybersecurity incidents such as a ransomware attack, man-in-the-middle attack, account takeovers, or offshore attack. And as the dwell time — the window of time from initial discovery of an incident to execution — shortens for ransomware attacks , early discovery and fast response is especially crucial.
That’s why it’s crucial to detect potentially threatening behavior, not just known-bad signatures that traditional antivirus software often leans on. The behavior-based approach that a modern security information and event management ( SIEM ) can alert admins to suspicious activity that indicates an attack may be in progress.
Impossible Travel Rules In Microsoft 365
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a cloud access security broker (CASB) that automatically enables anomaly detection policies out-of-the-box with its user and entity behavioral analytics (UEBA) and machine learning (ML) features — impossible travel activity being one of those detections.
Microsoft Defender for Cloud Apps also detects atypical travel, which is slightly different, according to Microsoft :
Atypical travel This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. Among several other factors, this machine learning algorithm takes into account the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second, indicating that a different user is using the same credentials.
Impossible travel This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials.
Microsoft Defender’s impossible travel rules suppress scenarios that can trigger false positives, such as successful login from a VPN service or from cloud providers that don’t indicate a physical location.
Admins can also use the sensitivity slider feature to tune the detection to be more or less sensitive, depending on the organization’s needs. For example, low sensitivity levels will use system suppressions (built-in detections that are always suppressed); tenant suppressions (common activities based on previous activity in the tenant); and user suppressions (common activities based on a user’s previous behavior). High sensitivity levels will suppress only system-level detections.
Detecting Impossible Travel Activity
With Blumira’s cloud SIEM with threat detection and response, you can detect impossible travel activity in your Microsoft 365 environment. Blumira’s Free edition easily connects to Microsoft 365 to detect and respond to threats in minutes.
Impossible travel activity is just one example of what you can detect with Blumira Free. Other unusual activity detections include:
- Any activity from anonymous or suspicious IP addresses
- Activity from infrequent countries or terminated users
- Any unusual external file activity
- Multiple failed user login attempts
- Increases in phishing emails or ISPs (internet service providers) for an OAuth application
- Any suspicious email sending patterns detected
To help you with remediation steps, we provide a workflow with recommendations, such as immediately disabling the user within your Duo Security multi-factor authentication (MFA) administrative panel. Then, confirm with the user their travel plans, or reset their credentials.