Modern Microsoft 365 authentication issues tokens — essentially digital passes — that allow users to stay signed in across sessions without re-entering credentials. These tokens are stored in the browser or application and presented automatically on each request. If an attacker steals a valid token, they can use it to impersonate the user without needing their password or passing MFA, because the authentication has already been completed.
Session hijacking via unusual IP change is one of the clearest signals that a token has been stolen and is being used from a different location. When the IP address associated with an active session changes dramatically — particularly to a different country or an anonymising service like Tor or a commercial VPN — it suggests the session is no longer being used by the original user.
This is one of the primary techniques used in Adversary-in-the-Middle (AiTM) phishing attacks, where a proxy intercepts the authentication flow and captures the token in real time.
Some IP changes during an active session are legitimate:
The key differentiators for a suspicious IP change are: geographic implausibility (the IP change implies travel that couldn't have happened in the time elapsed), use of anonymising infrastructure (Tor, datacenter IP ranges, commercial proxy services), and sudden appearance in a country with no prior sign-in history for that user.
Overe Auto-Response: The Possible Session Hijack - Unusual IP Change alert can be configured in Overe to trigger automatic session revocation or account block when this activity is detected. Review your Auto-Response settings under Org Config > Auto-Response to ensure an appropriate automated action is in place for this high-severity indicator.
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
After investigating a session hijack alert, review these related risk areas: