O365 Concurrent Sessions From Different Ips

name: O365 Concurrent Sessions From Different Ips
id: 58e034de-1f87-4812-9dc3-a4f68c7db930
version: 12
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies user sessions in Office 365 accessed from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) phishing attacks. It detects this activity by analyzing Azure Active Directory logs for 'UserLoggedIn' operations and flags sessions with more than one associated IP address. This behavior is significant as it suggests unauthorized concurrent access, which is uncommon in normal usage. If confirmed malicious, the impact could include data theft, account takeover, and the launching of internal phishing campaigns, posing severe risks to organizational security.
data_source:
    - O365 UserLoggedIn
search: |-
    `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime values(src) as src
        BY signature dest user
           vendor_account vendor_product SessionId
      | where mvcount(src) > 1
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `o365_concurrent_sessions_from_different_ips_filter`
how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
known_false_positives: No false positives have been identified at this time.
references:
    - https://attack.mitre.org/techniques/T1185/
    - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/
    - https://github.com/kgretzky/evilginx2
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ has logged in with the same session id from more than one unique IP address
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Account Takeover
        - Scattered Lapsus$ Hunters
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1185
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log
          sourcetype: o365:management:activity
          source: o365