[ { "id": "aad-signin-001", "createdDateTime": "2024-10-22T09:18:44Z", "userDisplayName": "Paz Levi", "userPrincipalName": "p.levi@lifetechpharma.com", "userId": "4f8c2a91-3b7e-4d1a-8e2f-1c9a0b4d5e6f", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "10.10.3.22", "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/119.0.0.0", "correlationId": "corr-001-aad", "conditionalAccessStatus": "success", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "status": { "errorCode": 0, "failureReason": null, "additionalDetails": "MFA completed" }, "location": { "city": "Rehovot", "state": "HaMerkaz", "countryOrRegion": "IL", "geoCoordinates": { "latitude": 31.895, "longitude": 34.808 } }, "deviceDetail": { "deviceId": "ws-it-levi-aad", "displayName": "WS-IT-LEVI", "operatingSystem": "Windows 10", "trustType": "Azure AD joined" }, "authenticationDetails": [ { "authenticationStepDateTime": "2024-10-22T09:18:44Z", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": true }, { "authenticationStepDateTime": "2024-10-22T09:18:47Z", "authenticationMethod": "Microsoft Authenticator", "authenticationMethodDetail": "Push notification", "succeeded": true } ], "notes": "NORMAL — corporate IP, IST business hours, MFA completed, known device" }, { "id": "aad-signin-002", "createdDateTime": "2024-10-22T09:31:18Z", "userDisplayName": "Paz Levi", "userPrincipalName": "p.levi@lifetechpharma.com", "userId": "4f8c2a91-3b7e-4d1a-8e2f-1c9a0b4d5e6f", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "185.220.101.47", "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/118.0.0.0", "correlationId": "corr-002-aad", "conditionalAccessStatus": "success", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "status": { "errorCode": 0, "failureReason": null, "additionalDetails": "Session token used — no MFA challenge presented" }, "location": { "city": "Istanbul", "state": "Istanbul", "countryOrRegion": "TR", "geoCoordinates": { "latitude": 41.015, "longitude": 28.979 } }, "deviceDetail": { "deviceId": null, "displayName": null, "operatingSystem": "Windows 10", "trustType": "None" }, "authenticationDetails": [ { "authenticationStepDateTime": "2024-10-22T09:31:18Z", "authenticationMethod": "Previously satisfied", "authenticationMethodDetail": "Session token (no MFA challenge — token replayed)", "succeeded": true } ], "notes": "⚠ ANOMALOUS — foreign IP (Turkey), hosting ASN 185.220.101.0/24 (Tor exit / VPS), session token replay, no MFA, 13 minutes after corporate login, unknown device, this is the AiTM session theft" }, { "id": "aad-signin-003", "createdDateTime": "2024-10-23T07:44:02Z", "userDisplayName": "Paz Levi", "userPrincipalName": "p.levi@lifetechpharma.com", "userId": "4f8c2a91-3b7e-4d1a-8e2f-1c9a0b4d5e6f", "appId": "00000003-0000-0ff1-ce00-000000000000", "appDisplayName": "Microsoft Teams", "ipAddress": "10.10.3.22", "clientAppUsed": "Mobile Apps and Desktop clients", "userAgent": "Microsoft Teams/1.6.0.24281 (Windows 10)", "correlationId": "corr-003-aad", "conditionalAccessStatus": "success", "isInteractive": false, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "status": { "errorCode": 0, "failureReason": null, "additionalDetails": "Silent token refresh" }, "location": { "city": "Rehovot", "state": "HaMerkaz", "countryOrRegion": "IL", "geoCoordinates": { "latitude": 31.895, "longitude": 34.808 } }, "deviceDetail": { "deviceId": "ws-it-levi-aad", "displayName": "WS-IT-LEVI", "operatingSystem": "Windows 10", "trustType": "Azure AD joined" }, "authenticationDetails": [ { "authenticationStepDateTime": "2024-10-23T07:44:02Z", "authenticationMethod": "Previously satisfied", "authenticationMethodDetail": "Token refresh — valid session", "succeeded": true } ], "notes": "NORMAL — corporate IP, known device" }, { "id": "aad-signin-004", "createdDateTime": "2024-10-24T00:17:33Z", "userDisplayName": "Paz Levi", "userPrincipalName": "p.levi@lifetechpharma.com", "userId": "4f8c2a91-3b7e-4d1a-8e2f-1c9a0b4d5e6f", "appId": "d3590ed6-52b3-4102-aeff-aad2292ab01c", "appDisplayName": "Microsoft Office", "ipAddress": "185.220.101.47", "clientAppUsed": "Browser", "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/118.0.0.0", "correlationId": "corr-004-aad", "conditionalAccessStatus": "success", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "status": { "errorCode": 0, "failureReason": null, "additionalDetails": "Session token used — no MFA challenge" }, "location": { "city": "Istanbul", "state": "Istanbul", "countryOrRegion": "TR", "geoCoordinates": { "latitude": 41.015, "longitude": 28.979 } }, "deviceDetail": { "deviceId": null, "displayName": null, "operatingSystem": "Linux", "trustType": "None" }, "authenticationDetails": [ { "authenticationStepDateTime": "2024-10-24T00:17:33Z", "authenticationMethod": "Previously satisfied", "authenticationMethodDetail": "Session token replay — no MFA", "succeeded": true } ], "notes": "⚠ ANOMALOUS — same Turkish IP, Linux OS (p.levi uses Windows), 02:17 local time in Israel, correlates with VPN login (see vpn/anyconnect-2024-10-24.log)" } ]