Physical Security
Allowing someone to enter a secure area because you held the door open for them can be considered?
What is piggybacking
This issue occurs when a user shares a folder using a link that is open to the internet and not protected by a password.
What is a Public Link Issue
The first step when a user admits they clicked a phishing link and entered credentials.
What is disables the account
In Active Directory, this action immediately blocks authentication attempts but keeps the account intact.
What is Disable Account
This indicator appears when a user logs in successfully, but from a location they’ve never used before, such as another state or country.
What is geolocation anomaly
An unauthorized person slips in by following closely behind someone with valid credentials, usually without their knowledge.
What is tailgating
A link shared with someone outside NoxGroup but still requires the user to be authenticated.
What is an External Link
Resetting this alone is not enough because it does not revoke stolen tokens.
What is the password
The Microsoft portal where you perform account revocation, sign-in logs review, and device checks.
What is Microsoft Entra Admin Center
Egnyte may flag a user deleting or modifying large volumes of files in a short period, especially outside their normal work pattern.
What is abnormal file activity
(or What is a mass deletion IOC)
Searching through office trash to extract sensitive documents or credentials.
What is dumpster diving
An Egnyte issue triggered when a user deletes or accesses large volumes of files in a short period.
What is Unusual Access
After disabling the account, this action removes active refresh tokens and logins across all devices.
What is Revoke All Sessions
These two places must be checked for suspicious MFA failures, unusual IPs, or device hijack indicators.
What are Sign-In Logs and Devices
When a user suddenly receives multiple MFA prompts they did not initiate, it often indicates this type of ongoing attack.
What is an MFA Fatigue Attack
Leaving your workstation unlocked when stepping away gives attackers an opportunity for this type of physical compromise.
What is an unattended workstation attack
When two or more login attempts occur from different regions, different IPs, or different countries at the same time.
What is a Suspicious Login
Removing recognized and unrecognized devices in Entra is only required if this is detected.
What is an IOC (Indicator of Compromise)
This type of hijack occurs when stolen refresh tokens allow an attacker to stay logged in even after a password reset.
What is session hijacking
This IOC appears when login attempts occur from two distant locations within a timeframe that makes legitimate travel impossible.
What is impossible travel?
An attacker follows someone through a secure door by pretending they forgot their badge or acting like they’re part of the crew.
What is social engineering for access or badge-tailgating
Secure & Govern reports that an external user has direct access to an internal folder.
What do you do in accordance with the Access Hygiene policy?
What is remove the permission and validate whether sharing is still required
The final step of account recovery, only done after the account is contained and sessions are revoked.
What is password reset
The next action after disabling an account if MFA prompts are failing repeatedly or coming from unfamiliar locations.
What is remove devices or re-register MFA
A sign of potential session hijack: the password is changed, but the attacker’s device remains logged in and continues performing actions.
What is token persistence?
(or What is a persistent refresh token hijack?)