Impossible Travel Login Detection

AuthenticationAttacks Multi-Platform Account Compromise / Impossible Travel

What This Means

Detect impossible travel anomalies where a user authenticates from geographically distant locations in an impossibly short timeframe, indicating credential compromise.

Example Log

-- Two logins from physically impossible locations:
Login 1: jsmith@contoso.com from New York, US at 14:00 UTC (IP: 72.21.x.x)
Login 2: jsmith@contoso.com from Moscow, RU at 14:15 UTC (IP: 195.19.x.x)
-- Distance: ~7,500 km in 15 minutes (impossible without teleportation)

Indicators of Suspicious Activity

Two successful logins from locations hundreds of miles apart within minutes
Login from a country where the organization has no presence
Sudden change in login geography after consistent patterns from one location
Multiple geographic anomalies for the same account in a single day
Login from a known VPN/proxy service following a legitimate login
Geographic location inconsistent with the devices timezone setting

How to Investigate

Verify with the user whether they are traveling or using a VPN
Check the exact IP addresses and determine if either is a VPN/proxy
Review the GeoIP data accuracy — some IP geolocation databases have errors
Check if the second login used a different authentication method or device
Investigate what actions were performed during the suspicious session
Determine if any MFA bypass methods were used

Recommended Mitigations

Implement impossible travel detection in your SIEM or identity provider
Configure Conditional Access policies that block or require MFA from new countries
Deploy UEBA (User Entity Behavior Analytics) for geographic anomaly detection
Set up automated alerts for impossible travel events with P1 severity
Enable location-based access policies that restrict authentication to known regions
Require MFA re-verification when geographic anomaly is detected

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 8 + 7?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What is impossible travel? ▼

Impossible travel is when a user account authenticates from two geographic locations that are too far apart to physically travel between in the elapsed time. For example, logging in from New York and then London 10 minutes later.

Can VPNs cause false positive impossible travel alerts? ▼

Yes. If a user connects through a VPN, their apparent location changes to the VPN exit node. This is the most common cause of false positives. Include VPN IP ranges in your exclusion list.

How do I calculate if travel is impossible? ▼

Estimate the distance between the two GeoIP locations and divide by the time elapsed. If the required speed exceeds ~900 km/h (commercial jet speed), the travel is physically impossible.