top of page
Search

A reality check for SOC teams relying blindly on geographic log parameters

  • 5 hours ago
  • 3 min read

Predictable Local Activity May Reduce Analyst Vigilance


For SOC analysts who spend their days triaging Microsoft 365 login events, the daily routine often falls into a predictable pattern. Security teams often implement a binary triage logic: local logins are automatically marked as benign, while foreign logins undergo a deeper analysis verification. This creates a dangerous security gap.


  • Logins from local IP: Check the sign-in IP \rightarrow If it’s a local IP \rightarrow Close as expected/benign.

  • Logins from Abroad: Check the sign-in IP \rightarrow If it’s originating abroad \rightarrow Triage the IP \rightarrow Analyse login fields (user agents, device IDs) \rightarrow Compare against the historical baseline \rightarrow Close as TP, FP, or BP.

When an entire user base operates locally, analysts are heavily conditioned to trust any authentication event carrying a local country code. This predictability is a can pose a vulnerability. The elevated risk of a compromise masking itself within local IP space is specifically designed to exploit an analyst's trust, bypassing standard defences unnoticed.




Threat Actors Manipulate Log Context


Phishing-as-a-Service (PaaS) is evolving rapidly, and the success rate of modern Adversary-in-the-Middle (AitM) phishing attacks remains alarmingly high. Security platforms frequently flag these compromises using behavioral detection rules designed to catch anomalies. However, looking at this from a social engineering perspective presents a greater concern.


If an analyst is conditioned to see thousands of successful logins from a local jurisdiction, a threat actor will seek to exploit the analyst rather than the end-user. Because security teams are the ones disrupting active attacks, their baseline assumptions are the primary targets.


"Modern threat actors do not just exploit end-users; they manipulate log context to exploit fatigued security analysts."

Ironically, an experienced adversary is perfectly equipped to design a flawless post-compromise campaign. By understanding exactly what security logs look like and what triggers an alert, attackers can carefully construct their technical footprint to trick a peer into closing a valid alert. (Especially since most of Microsoft’s detection rules are public knowledge)




VPN Networks Mask Global Threats

Commercial VPN providers are aggressively expanding their global infrastructure. Major VPN providers now offer tunnels routing directly through Malta. This grants threat actors anywhere in the world the ability to mask their true geographic location and blend seamlessly into local Maltese traffic.


(Note: For the scope of this analysis, the focus remains specifically on consumer VPN services routed via Bring Your Own Device setups, rather than authorized corporate VPN gateways.)


Take a look at the log snippet below. At first glance, a fatigued analyst might see the country code and move on, but a closer look reveals conflicting data points:

  • Client IP Address: 82.149.80.60

  • Country Code: MT (Malta)

  • IP Category: Flagged as "Hosting"

  • ASN: Datacamp Limited (Crucially, not a residential Maltese ISP)



Cross-referencing this IP with external threat intelligence tools confirms the suspicion: the IP belongs to a known anonymization network. This is where the session timeline becomes highly problematic.



A user's session history might start entirely on a standard, residential ISP, but suddenly flip mid-session to a hosting data center IP while maintaining the same country code. This structural shift represents a clear deviation from an expected baseline.




Geofencing Alone Is a Failed Strategy

Relying entirely on simple geographic parameters is no longer a viable security posture. For teams managing a massive user base, spending excessive manual time analysing a single alert to prove malicious intent introduces risk. Organizations must move past static geofencing by integrating deeper log parameters.


This is exactly why curated additional context fields and behavioural detection rules are critical. They allow organizations to build highly precise detection rules that catch advanced tactics automatically, while relying on machine learning to evaluate historical behaviour for every identity.





Moving Beyond Static Rules

When threat actors can rent local data centre infrastructure for a few euros, a local IP address can no longer be used as an indicator of trust. Relying on it may result in a compromise going unnoticed for weeks if not months. Security teams must transition to dynamic, behaviour-based detection models that analyse session continuity, ASN context, and device integrity in real time.


-Written by Emanuel Falzon

bottom of page