Forum Discussion

Eugene Pinson's avatar
Eugene Pinson
Copper Contributor
Jul 28, 2017
Solved

Dealing with high number of failed log on attempts from foreign countries utilizing Exchange Online

We have noted a drastic increase in the number of failed log on attempts coming from countries outside the US within ADFS, obviously attempting to log in through Exchange Online. (When reviewing eve...
admin
exchange online
office 365
  • Eugene Pinson's avatar
    Eugene Pinson
    Dec 21, 2018

    Not sure if any one has seen this. There is a new tool for your basket. This has helped us greatly.

    A couple of months ago Microsoft released to preview and then has pushed forward 'Authentication Policies'.

    These authentication policies are processed prior to being passed to AAD or ADFS saving the failed login against the account

    And yes this can be applied to individual or small groups to test first (just remember to wait to assure the policy is applied to the user in question before calling it good or not)

     

    See "https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online"

     

    Basic outline

    Assure you have modern authentication enabled for your organization

    Create an authentication policy blocking basic auth for pop, imap and such (The biggest one we were seeing was imap)

     

    If you have any user or service accounts that requires basic auth for any of the protocols you are disabling in the previous policy, create a second policy allowing the protocols

     

    If you have any users that utilizing pop, imap or any other method you determine don't need basic authentication, get them migrated to some other form of client app or access

     

    If there are any accounts that absolutely require basic auth (ie we have a ticketing system that utilizes imap with basic auth to connect to a specific mailbox), make note of them to exclude in your query for users to apply your restricted policy to

     

    Query for and apply unrestricted policy to service account or user that requires the basic auth for the protocols disabled by the restricted policy

     

    Query for and apply restricted policy to the majority of your users

    Apply restricted policy as global default (for new users)

     

    Either wait 24 hours for it to be applied or touch a user property on the user and wait approximately 30 minutes.

     

    Note, the below worked for me. Make sure you research and adjust for your own needs. I take no responsibility for what you do to your environment. These are only examples

     

    Exchange Powershell commands used

    connect-exopssession -UserPrincipalName {exchangeonline admin}

     

    New-AuthenticationPolicy -Name "Block_Basic_Auth_Selective”

     

    {Blocks basic auth for imap, pop, smtp but allows for things like activesync}
    (Adjust according to your needs)
    Set-AuthenticationPolicy -Identity “Block_Basic_Auth_Selective” -AllowBasicAuthActiveSync -AllowBasicAuthAutodiscover -AllowBasicAuthImap:$false -AllowBasicAuthMapi -AllowBasicAuthOfflineAddressBook -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthReportingWebServices -AllowBasicAuthRest -AllowBasicAuthRpc -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices -AllowBasicAuthPowerShell

     

    New-AuthenticationPolicy "Allow_Basic_Auth"

     

    (Adjust according to your needs)
    Set-AuthenticationPolicy -Identity “Allow_Basic_Auth” -AllowBasicAuthActiveSync:$true -AllowBasicAuthAutodiscover:$true -AllowBasicAuthImap:$true -AllowBasicAuthMapi:$true -AllowBasicAuthOfflineAddressBook:true -AllowBasicAuthOutlookService:$true -AllowBasicAuthPop:$true -AllowBasicAuthReportingWebServices -AllowBasicAuthRest -AllowBasicAuthRpc -AllowBasicAuthSmtp:$true -AllowBasicAuthWebServices:true -AllowBasicAuthPowerShell

     

    To simplifiy things for my environment I manually set the users that required basic auth (I only had two)

    set-user -Identity "User One" -AuthenticationPolicy "Allow_Basic_Auth"

     

    To touch the user to make the policy get applied quicker

    set-user -Identity "User One" -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

     

    For the rest of my users

    $Users = Get-User -ResultSize unlimited | Where {$_.RecipientType -eq "UserMailbox" -and $_.AuthenticationPolicy -eq $null}

    $users =$users.WindowsEmailAddress

    $users | %{Set-User -Identity $_ -AuthenticationPolicy “Block_Basic_Auth_Selective”}

    If you want to touch the users to apply policy quicker, since the query is already in memory

    $users | %{Set-User -Identity $_ -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)}


    Now the following command will apply the restricted policy as the global default. (Note, when I first implemented this, the unrestricted users did not have a policy applied and as such I thought they would have no policy applied, but once the default policy was applied to the global config, it affected the unrestricted unconfigured users.)

    Set-OrganizationConfig -DefaultAuthenticationPolicy “Block_Basic_Auth_Selective”


    Remember, mileage will vary. Read everything you can find on Authentication Policy/ies

    For us, for now, this has completely removed the issues we were having with illigitimate failed login attempts and account lockouts.
    We ran into only the one issue mentioned above with the accounts that had no policy assigned and then the global policy being applied

    Remember, it takes approximately 24 hours for the policy to be applied to a user unless one of the user's properties are modified

     

    There is one thing I will mention, at this time, when this is applied, there is nothing logged for failed attempts that fall afoul of the blocked basic auth policy even in Azure Ad Sign-ins

      

    -Gene

     

Dale Puumala's avatar
Dale Puumala
Copper Contributor
Oct 25, 2018

I downloaded your script and modified it to block the entire /24 for each IP address (bigger hammer).  It works great.  So great that...in less than 24 hours I reached a limit on the AnyOfClientIPAddressesOrRanges Property.  I receive the error now: The length of the property is too long. The maximum length is 40960 and the length of the value provided is 44620.

 

Have you ran across that yet? Account lockouts are getting really old. 

 

It would be wonderful if MS would just put in true geo-blocking, not Conditional Access, which only works after successful authentication.

Daniel S. Gurrola II's avatar
Daniel S. Gurrola II
Copper Contributor
Oct 29, 2018
I am working on this very same thing and it has been nasty! I got to the exact same place as Eric albeit just a TINY bit differently, but exact same idea. Since most of these attacks are from countries we have no business with or executives traveling to we block out the IP's whole registered subnet.

I am working on adding the ability to get that data from http://who.is or elsewhere (I am curious about that Linux command Eric uses for GeoIP data). Adding this to the script will most definitely save me having to go look it up. I have 4 /8's and 2 /16 subnets in my lists now. so for now we are OK with the limit you ran into.

We are going to have to pony up for some form of token access or service like DUO which we already use for Remote Desktop Gateway MFA. I just need a way to authenticate people that SHOULD be authenticated not just usernames that CAN be. I'm looking for a way to allow our Execs to just not be bothered with this at ALL since it's only a matter of time until someone goes to China and then we are back to the drawing board!

Resources