Product: Huntress Managed Identity Threat Detection and Response (ITDR)
Environment: Microsoft Entra
Summary: This article explains the difference between interactive and non-interactive logins and how Huntress monitors them to detect signs of compromise like Token Theft or Unwanted Access.
Understanding Login Types
Huntress monitors two primary categories of logins to a user's identity provider (IdP) to establish a baseline of normal user behavior and quickly spot anomalies.
1. Interactive Logins
Interactive logins are any sign-in attempts where the user actively engages with the authentication process. This process typically requires the user to manually input their:
- Username or email address
- Password
- A form of multi-factor authentication (2FA or MFA)
This action creates a unique, human-intervened session on the device. Because this type of login involves the most user effort and is generally infrequent (often only happening on a new device or after a long sign-out period), it is monitored with the highest scrutiny by Huntress.
2. Non-Interactive Logins
Non-interactive logins are sign-in events where the user does not have to input their password or 2FA. This is the most common type of login method. These logins use automated processes to access an account, such as:
- Scripts or Services: Automated applications running in the background.
- Stored Credentials (Cache): Your browser or application accessing previously saved sign-in information.
- Tokens: Unique identifiers that contain previous session details, allowing access without a full sign-in.
Because these logins are part of the normal day-to-day user experience (e.g., opening your work email in your primary browser without having to type your password), they are often considered benign and help Huntress establish a baseline of what is "normal" for a specific user and device.
How Huntress ITDR Uses Login Data
Huntress monitors all login types, but the context and details of an Interactive Login are what often trigger an alert.
| Scenario | Login Type | Huntress Reaction |
| Normal: Opening a browser you used yesterday to check email where the account remains signed in for an extended period of time. | Non-Interactive | Establishes a baseline of normal user activity. Huntress alert is unlikely. |
| Normal: Signing in on a new work phone or a newly provisioned laptop. | Interactive | May trigger an alert because a new device is involved. This may lead to a false positive alert that can be easily dismissed by the admin. |
| Suspicious: A first-time sign-in (Interactive Login) from a new device, from a new country, using new security features (like a different VPN), and on a different browser. | Interactive | The confluence of new and unusual factors often indicates Token Theft or Unwanted Access, which will result in an escalation or Incident Report from Huntress. |
A Note on Brute Force Attempts
Brute force techniques are used by threat actors to gain access when passwords or secondary authentication steps are unknown.
- Brute force attempts involve an attacker repeatedly attempting Interactive Logins by leveraging random or known information (OSINT) to guess a password.
- Threat actors take advantage of accounts using Legacy Authentication Protocols (authentication that does not require MFA) by using credential stuffing and password spray attacks.
- Threat actors also commonly use tactics like MFA Fatigue (constantly prompting a user to approve 2FA) in hopes a user approves a malicious sign-in.
- On their own, these attempts are not a sign of user account compromise. Compromise occurs after a brute force attempt results in a successful Interactive Login.
- Unsuccessful brute force attempts will not result in a Huntress alert.
If you suspect brute force activity or have a user account that may be targeted, consider the following best practices:
- Reset passwords to unique and strong passwords. Avoid commonly used passwords, or password re-use across accounts. Consider password storage tools to keep password encrypted and randomized.
- We strongly recommend that the user has Multi-Factor Authentication (MFA or 2FA) configured. Features like Security Defaults in the Microsoft Entra ID portal can help with this setup, and is a helpful alternative for Legacy Authentication Protocols.
- Where possible, set up login rules like Conditional Access Policies to create further lock-out options in the event of a successful brute force login.
- Consider configuring Unwanted Access rules in the Huntress portal, so if a threat actor does attempt to access your user identity, we can alert you based on conditions like VPN usage, or Country logins.
If Huntress detects a successful, but unexpected login that may be malicious, we will send an escalation and/or Incident Report detailing our findings and taking protective measures to limit threat actor activity.