Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Jan 31, 2024

Locked account due to many attempts from malicious IP

Hello experts,

 

today, a user contacted me that she cannot access M365 and asked to unlock her account. 1st thing I've checked were her log-ins in MS Entra and there I've found many and many attempts to log in from different countries - like India, Russia, Demark etc... that happened with just few seconds delay.... As a result, the user's account got blocked. Had to deal 1st time with this kind of issue.... See pictures below. 

 

 

 

Now, it looks like there was another user under the same attack few days ago (who is on vacation so doesnt know he is blocked for now :)).... Anyway, wondering - how I can prevent these types of attack?

 

We have MFA (app auth) configured so even if the password got broken, MFA should prevent the attacker to sign in.

 

I was going to create a conditional access but there are countries like Italy, Denmark (and other EU ones) etc that I don't want to block.

 

We have M365 E3 with M365 E5 Security subscriptions assigned to all users.

 

Would be grateful for any advise.

 

    • sumo83's avatar
      sumo83
      Iron Contributor
      this looks promising... Was not aware of this feature.... If I understand that properly, it has possibility to unlock password after configured duration ... which is what I need... and have it unlocked without admin or user intervention....

      Will do more research on this feature and test it 😉
    • sumo83's avatar
      sumo83
      Iron Contributor

      ok.. So I've done some more reading on this.... and looks like SmartLockout is enabled by default? .. and to modify it, I can do it as described in the blog.... So I am not sure if that will help to modify the default settings...

      I am a bit surprised that I do not see anything under "Protection > Identity Protection > Risky users , ..or Risky Sign-in"... Cant understand why - as the user's account was blocked due to lots of attempts from malicious IP. I would expect that user would be visible under Risky Users?

       

      From sign-in logs, I could see that those attempts were blocked.... during the password spray attack that was going on that account for 2 days... so smart lockout was doing the job I guess.... as it was blocking it without affecting the real user.... However, due to lots of attempts from attacker, the user account got blocked anyway eventually....

       

      How to protect against this?

Resources