Description
This detector identifies discrepancies between a user’s reported geographic location and their expected location profile. Detection is most effective when the observed session location is evaluated against authoritative organizational data and the user’s historical behavior.
Rather than relying on a single signal, this detector correlates multiple sources of location context to identify inconsistencies that are unlikely to occur during legitimate access.
Common indicators include:
Identity provider login inconsistencies
The current session originates from a location that does not align with the user’s historical authentication patterns recorded in identity systems such as Okta, Azure Active Directory, or Google Workspace.
Mismatch with HR or organizational records
The observed location conflicts with information maintained in HR systems, such as a listed home office, country of employment, or address provided during onboarding.
Physically implausible movement patterns
Sequential logins from geographically distant locations within a timeframe that exceeds realistic travel constraints, such as access from New York followed shortly by access from London.
IP address and browser location divergence
The IP-based geolocation indicates one country or region, while browser-derived signals such as GPS, Wi-Fi positioning, or time zone settings indicate another.
Relevance to Social Engineering Attacks
Location inconsistencies are often the first technical fault line encountered during social engineering attempts. Attackers may succeed in stealing credentials, but accurately reproducing a user’s geographic context is significantly more difficult.
Common attack-related scenarios include:
Validation of false support narratives
When an attacker claims to be working from a specific office or region during a help desk interaction, mismatched location signals immediately undermine the credibility of the pretext.
Exposure of proxy or VPN configuration leaks
Attackers frequently overlook system-level indicators such as time zone configuration or browser location services. Even when a VPN is active, these leaks can reveal the attacker’s true location and create an unmatching location signal.
Detection of first-time credential misuse
Stolen credentials are often used from locations that differ significantly from the victim’s usual access region. The initial use of compromised credentials frequently triggers an anomalous or unmatching location event.
Examples of Detected Tooling and Techniques
This detector is effective against a range of location manipulation and misconfiguration scenarios, including:
Location spoofing extensions
Browser extensions that manually override navigator.geolocation values to falsify location data.
Proxy and VPN misconfigurations
Situations where network tunneling is active but browser-level signals such as WebRTC data, locale headers, or time zone settings continue to expose the original location.
Notable Incidents and Threat Actors
Lapsus$ Group
Identified in multiple incidents after accessing corporate environments from geographic regions that did not align with the employees they were impersonating, despite possessing valid credentials.
GambleForce
An advanced threat group observed exhibiting anomalous and physically implausible location transitions while targeting organizations across multiple regions in rapid succession.