title: Acquire Access (T1650)
id: df00tech-t1650
status: experimental
description: "This detection identifies indicators that adversaries have leveraged purchased or brokered access to compromise an environment — the operational signature left when Initial Access Broker (IAB)-sold footholds are activated. Because T1650 itself is a pre-compromise preparation activity, detection focuses on anomalous authentication patterns consistent with a new threat actor using previously established access: first-use logons from novel geolocations for established accounts, high-risk sign-ins immediately followed by reconnaissance activity, web shell process ancestry patterns indicative of broker-planted backdoors, and external remote service sessions from IPs with no prior organizational history. Correlating Azure AD risk signals with unusual lateral movement timing provides the strongest detection fidelity."
references:
  - https://attack.mitre.org/techniques/T1650/
  - https://df00tech.com/detections/T1650
author: df00tech
date: 2026/03/20
tags:
  - attack.t1650
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
  - Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
  - IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions
  - New employee first logon from home network or coworking space not in organizational baseline
  - Mergers/acquisitions onboarding new users from previously unseen IP ranges
level: high