Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook.
Anonymized Login incidents occur when an account within EntraID authenticates from anonymized infrastructure, such as VPNs, proxy servers, or the TOR network.
Even though your organization’s users can use VPNs and proxy servers for legitimate purposes, such as remote work, threat actors heavily rely on these tools to orchestrate attacks. By routing their traffic through external or multi-hop proxies, adversaries can manage command and control (C2) communications and perform damaging activities without exposing their actual infrastructure or geolocation. An anonymized login is rarely an isolated event; it strongly indicates compromised credentials and serves as the entry point for a broader attack sequence. Identifying this behavior early is critical to stopping an adversary before they can establish a foothold and cause significant disruption.
By detecting this anomalous activity, Lumu provides valuable insight into the following critical areas:
This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context—Scope, Severity, and Source—presented in a narrative that supports your response team's decision-making.
Through its integration with Microsoft Entra ID, Lumu is capable of collecting the user contextual data to provide a full picture of the normal behavior of the user alongside the recent log activity to map the attackers actions during the session.
The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:
1. Summary: This section highlights critical information, including the First and Last Logins and the Incident Duration. This data establishes a general scope of the incident, allowing analysts to quickly differentiate between a momentary anomaly (like a user traveling) and a sustained account takeover attempt.
2. Targeted User: This section delivers crucial context about the specific user involved, capturing the user's details exactly as they were at the time of the last detected event.
3. Anonymized Login Activity: This section provides a comprehensive overview of the specific login events originating from the targeted user. It is divided into three key areas to help investigate the context and severity of the obfuscated session:
While the Lumu Portal displays the most critical data points—such as the top attacking sources and target users—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, the Lumu allows in-depth investigations with its Export Feature. It allows analysts to move beyond the high-level summary and access the complete forensic dataset of the incident.
You can export data using the dropdown menu located at the top of the page (1).
You can export the following data for this incident: