A user was observed accessing the environment from a known anonymized (TOR) exit node, post authentication.
Possible Root Causes
An attacker is using an anonymizing proxy like TOR to obfuscate details of their source connection or make investigation more difficult by using multiple source IP addresses.
A user may be intentionally using TOR to circumvent restrictions preventing access to the resources in question, such as those applied by the country they are accessing from.
Business Impact
Attackers identified under this detection are actively operating within the environment while maintaining some level of operational security by obfuscating their source details.
Attackers operating using TOR will reduce the ability of teams to connect identified attacker behavior with other behaviors not yet identified since it enables the attacker to regularly change the source detail of their connections while undertaking operations within the environment.
Steps to Verify
Review the actions being undertaken by the user during and just before the identified activity to determine resources accessed and potential risk posed by that access.
Review security policy to determine if use of TOR is allowed. • Discuss with user to determine if use of TOR is known and legitimate.
If review determines there is a high risk to data or the environment, disable the account and perform a comprehensive investigation.
Azure AD TOR Activity
Possible root causes
Malicious Detection
Benign Detection
Azure AD TOR Activity
Example scenarios
Azure AD TOR Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.