Attacker Using VPN/Tor -- Cannot Determine True Origin

The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.

Signals

•Source IPs resolve to known VPN providers (NordVPN, ExpressVPN, Mullvad) or Tor exit nodes
•Multiple authentication attempts originate from rapidly changing IPs across different ISPs and countries
•Threat intelligence feeds flag the source IPs as anonymization infrastructure

Pivot Actions

1.Shift focus from IP-based attribution to behavioral indicators: session tokens, user-agent strings, timing patterns
2.Correlate login timestamps and session durations to build an activity pattern independent of source IP
3.Analyze email headers, OAuth tokens, and application-layer identifiers that persist across IP changes
4.Deploy conditional access policies requiring MFA or compliant-device checks to block non-corporate access regardless of IP
5.Monitor for the attacker reusing any non-anonymized infrastructure (e.g., a single slip revealing their real IP)

Alternate Evidence Sources

•Application-layer session logs (OAuth tokens, session cookies, API keys) that persist across IP changes
•Email header analysis (X-Originating-IP, Received chain) from messages sent during the compromise
•User-agent and TLS fingerprint (JA3/JA4) data that may remain consistent across VPN hops

Related Procedures

Validate the Initial Access Vector

triage

Credential and Account Lockdown

contain

Lateral Movement Analysis and Mapping

analyze