Impossible Travel Login Investigation

When You See This

1. 1

   SIEM or identity provider alert for geographically impossible login within a short time window

2. 2

   Azure AD or Okta risk detection flagging "atypical travel" for a user account

3. 3

   Two successful authentications from different countries within minutes of each other

4. 4

   Cloud access security broker (CASB) flagging login from a new or suspicious location

Investigation Steps

1. 1

   Verify the login locations and timing

   Examine both login events in detail. Note the exact timestamps, source IP addresses, geolocations, user agent strings, and which applications were accessed. Calculate the distance and time between logins. A login from New York at 10:00 and London at 10:15 is impossible. New York at 10:00 and Chicago at 14:00 is plausible.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=auth user="flagged_user" action=success | iplocation src_ip | stats earliest(_time) as first_login, latest(_time) as last_login, values(City) as cities, values(Country) as countries, values(src_ip) as ips, values(user_agent) as agents by user

   Decision Point

   If: Both logins are from known corporate VPN exit points or cloud proxy IPs

   Yes → Likely false positive. Verify with the user or check VPN connection logs. Document and close.

   No → Potential credential compromise. Continue investigation immediately.

2. 2

   Check device fingerprints and session tokens

   Compare the device information for both sessions. Different operating systems, browsers, or device IDs strongly suggest two different people using the same credentials. Check if both sessions are still active simultaneously; an attacker often maintains a parallel session.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=auth user="flagged_user" | stats values(os) as operating_systems, values(browser) as browsers, values(device_id) as devices by src_ip | where mvcount(devices) > 1

3. 3

   Review what the suspicious session accessed

   If one session appears illegitimate, trace all activity from that session. Look for email forwarding rule changes, data downloads, privilege escalation attempts, or new OAuth application consents. Scattered Spider attackers typically targeted identity management consoles and internal IT tools within minutes of gaining access.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=o365 OR index=azure_ad user="flagged_user" src_ip="suspicious_ip" | stats count by operation, target_resource | sort -count

4. 4

   Contact the user and contain

   Reach out to the user through a verified channel (not email, which may be compromised) to confirm which login is theirs. If the suspicious login is confirmed unauthorized, immediately revoke all sessions, reset the password, review MFA devices for unauthorized enrollments, and check for persistence mechanisms like mail forwarding rules or OAuth app grants.

   SIEMXDR

Common Mistakes

1. 1

   Auto-closing impossible travel alerts as VPN false positives without verifying the specific IPs against known VPN exit nodes

2. 2

   Checking only the login event without reviewing what the suspicious session did after authentication

3. 3

   Not looking for new MFA device enrollments; Scattered Spider specifically enrolled new MFA devices on compromised accounts

Escalation Criteria

• Confirmed unauthorized login from an unknown location with data access

• New MFA device enrolled from the suspicious session

• The compromised account has admin or privileged access to identity providers

Frequently Asked Questions

What percentage of impossible travel alerts are false positives?

Typically 70-90% depending on your organization. VPN usage, mobile roaming, and cloud proxies all trigger false positives. The key is efficient triage, checking VPN exit IPs and device fingerprints before deep investigation. But never auto-close them: the 10-30% that are real can be devastating.

What is Scattered Spider and why does it matter?

Scattered Spider (UNC3944) is a threat group responsible for high-profile breaches at MGM Resorts, Caesars Entertainment, and multiple tech companies in 2023-2024. They specialize in social engineering help desk staff to reset MFA and then using stolen credentials from distant locations. Their TTPs make impossible travel investigation skills critical.

How do I practice impossible travel investigations?

SOCSimulator includes credential-based attack scenarios featuring impossible travel patterns. Practice distinguishing VPN false positives from real credential theft in a realistic SIEM environment. Start free forever.