Anonymized Login Detection

Anonymized Login Detection

NotesLearn how to effectively investigate, contain and remediate this incident by following our Response Playbook.

Anonymized Login incidents occur when an account within EntraID authenticates from anonymized infrastructure, such as VPNs, proxy servers, or the TOR network.

This incident is only detected if you have integrated Microsoft Entra ID with Lumu, check out our integration guide.

Even though your organization’s users can use VPNs and proxy servers for legitimate purposes, such as remote work, threat actors heavily rely on these tools to orchestrate attacks. By routing their traffic through external or multi-hop proxies, adversaries can manage command and control (C2) communications and perform damaging activities without exposing their actual infrastructure or geolocation. An anonymized login is rarely an isolated event; it strongly indicates compromised credentials and serves as the entry point for a broader attack sequence. Identifying this behavior early is critical to stopping an adversary before they can establish a foothold and cause significant disruption.

By detecting this anomalous activity, Lumu provides valuable insight into the following critical areas:

  • Identification of compromised credentials: Alerts security teams that an authorized user has successfully authenticated using an IP concealer. This allows organizations to intervene before the attacker can harvest sensitive data from online storage accounts and databases.
  • Prevention of lateral movement: Detects when attackers attempt to use an anonymized connection to blend in with normal network traffic. This visibility allows defenders to stop adversaries from leveraging a compromised identity to access internal file shares, map network drives, or launch Remote Desktop Protocol (RDP) sessions.
  • Mitigation of privilege escalation: Highlights malicious attempts to probe the Active Directory environment. This helps prevent attackers from executing attacks against Domain Controllers, scraping memory for credential hashes, or exploiting misconfigurations to affect systems with higher clearance.

This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context—Scope, Severity, and Source—presented in a narrative that supports your response team's decision-making.

Collected Data

Through its integration with Microsoft Entra ID, Lumu is capable of collecting the user contextual data to provide a full picture of the normal behavior of the user alongside the recent log activity to map the attackers actions during the session.

  • Targeted User: The specific account that authenticated via the concealed connection. Lumu will also retrieve the groups in which this user is registered.
  • Concealment Method: Identifies the specific tool used to obfuscate the session, such as a VPN, Proxy, or TOR.
  • User Contextual Data: Detailed information regarding the login event and the user's historical behavior to determine the legitimacy of the session. This includes:
    • Endpoint context: IP address and location, the specific application accessed, operating system, device name, device browser, and the device's compliance or managed status.
    • Recent logins: A baseline of the user's previous 10 sessions used to compare behavior and highlight significant deviations, such as connecting from an uncommon location, using a different browser or OS or accessing an uncommon application.
    • Recent log activity: A record of the latest changes or operations executed by the user during the attack window.

Incident Details

The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:


1. Summary: This section highlights critical information, including the First and Last Logins and the Incident Duration. This data establishes a general scope of the incident, allowing analysts to quickly differentiate between a momentary anomaly (like a user traveling) and a sustained account takeover attempt.

2. Targeted User: This section delivers crucial context about the specific user involved, capturing the user's details exactly as they were at the time of the last detected event.

  • Identity and Role: Shows the user's name, email address, and their specific job title and department (e.g., Marketing Director | Marketing and Communications). This information helps determine the potential impact or data exposure based on the user's clearance level.
  • Security Posture: Highlights the account's authentication security, with a green MFA Enabled badge. This is vital for understanding how an attacker might be operating, if MFA is enabled, the attacker may have used session hijacking or an MFA fatigue attack to access the account bypassing security measures.
  • Account Groups: An list showing all the organizational Active Directory groups the user belongs to (e.g., news, IT, All Company). By knowing the user's access rights, you can understand the potential scope in case the compromised account is used to move laterally across the network.

3. Anonymized Login Activity: This section provides a comprehensive overview of the specific login events originating from the targeted user. It is divided into three key areas to help investigate the context and severity of the obfuscated session:

  • User Context: Displays the foundational details of the obfuscated connection, including
    • Exact timestamp
    • Concealment method used (e.g., VPN: SharkVPN)
    • IP address
    • Location
    • Application accessed
    • Operating System
    • Device Name
    • Device Browser
  • Recent Logins (Behavior Comparison): This area visually compares the context of the anonymized login against the user's previous 10 sessions to establish a baseline of behavior. It uses a score to represent how closely the current session matches the user's typical habits across different metrics (Location, Device Name, Operating System, Device Browser, Application, and Compliance). Any strong deviation from the norm—such as logging in from a new location, using an unusual browser, or accessing an application that is not normally required for the user tasks—is flagged in red text to spot the anomalies.
  • Recent Log Activity: This module showcases the changes and operations related to the compromised account during the attack window. The logs displayed allow to trace the attacker's steps to see if any unauthorized modifications or privilege escalations occurred.

Incident data export

While the Lumu Portal displays the most critical data points—such as the top attacking sources and target users—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, the Lumu allows in-depth investigations with its Export Feature. It allows analysts to move beyond the high-level summary and access the complete forensic dataset of the incident.

You can export data using the dropdown menu located at the top of the page (1).


Exportable data

You can export the following data for this incident:

  • All anonymized events
    Generates a csv file with the information of every anonymized login event recorded in the incident.
  • Single event context
    Generate a csv file with the context information of a single login event recorded within an incident (2).

      Get an AI Summary

          • Related Articles

          • Anonymized Login Response Playbook

            This incident is only detected if you have integrated Microsoft Entra ID with Lumu. Check out our Microsoft Entra ID Out-of-the-Box integration guide for more information. The Lumu Anonymized Login Incident Response Playbook is based on the Computer ...
          • Unusual Login Detection

            Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook. Unusual Login incidents are anomalous authentication events that deviate from the normal patterns of an administrative or user account, ...
          • Login Brute force Incident Response Playbook

            The Lumu Login Brute force Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...
          • Login Brute Force Detection

            Login Bruteforce incidents are patterns of high-volume, repetitive authentication failures targeting an organization's identity infrastructure. Unlike network-level attacks, these incidents directly target the Active Directory of your organization, ...
          • Incident Details - Detections

            The Detections Panel is the core investigative hub within the Lumu Portal. When suspicious activity on your network escalates into a confirmed incident, this panel serves as your team's starting point for rapid triage and response. It is designed to ...