Forum Discussion

Sean Kuchle's avatar
Sean Kuchle
Brass Contributor
Jul 02, 2019

Failed log on (Failure message: Account is locked because user tried to sign in too many times with

My company has been experiencing an attack from China IP addresses (random) for a while and I can't seem to block them. I'm getting these errors "Failed log on (Failure message: Account is locked bec...
Authentication
office 365
security
LilleLars's avatar
LilleLars
Copper Contributor
Apr 27, 2020

Sean Kuchle 

I have the same issue.

Did you get anywhere with a proper answer or solution ?

I have daily more than 500 login tries from China, US, Thailand etc. with failed login using IMAP.

Failure reason  "Account is locked because user tried to sign in too many times with an incorrect user ID or password."

IMAP disable in exchange and Block Legacy Cond. Access is applied, how can I tell if we are not in trouble if I still get 50053 error when service is disabled ?

thank you

  • Pavel Otych's avatar
    Pavel Otych
    Brass Contributor
    Apr 27, 2020

    LilleLars As @Vasil Michev said the CA policies are only being applied AFTER succesful authentication through basich auth protocols (POP3, IMAP, SMTP, etc.). That's why you're seeing this behaviour. 

     

    To eliminate these spray attacks you need to disable basic auth in Exchange Online. Please have a look at the following article on how to do that: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online

    • LilleLars's avatar
      LilleLars
      Copper Contributor
      Apr 28, 2020

      Pavel Otych 

      Thank you Pavel, im testing now and this tenant did not have any "authentication policies" already.

      Ive done this:

      New-AuthenticationPolicy -Name "Block Basic Auth"
      Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth"

      gives me below result which looks good.

      I´ve waited  10 hours and stille I see IMAP error 50053 "account is blocked" in the Sign-ins log

      Hope I did it correct?

       

      AllowBasicAuthActiveSync : False
      AllowBasicAuthAutodiscover : False
      AllowBasicAuthImap : False
      AllowBasicAuthMapi : False
      AllowBasicAuthOfflineAddressBook : False
      AllowBasicAuthOutlookService : False
      AllowBasicAuthPop : False
      AllowBasicAuthReportingWebServices : False
      AllowBasicAuthRest : False
      AllowBasicAuthRpc : False
      AllowBasicAuthSmtp : False
      AllowBasicAuthWebServices : False
      AllowBasicAuthPowershell : False

       

      • Pavel Otych's avatar
        Pavel Otych
        Brass Contributor
        Apr 28, 2020

        LilleLars The steps you've done are correct and should be enough. If you're seeing this for a specific user account you can check he has the policy applied and run "Get-User -Filter "AuthenticationPolicy -eq..." (more info in the article) to make sure. But other than that I think you've done all that was needed and the basic auth should be blocked 😞 You might wait a bit longer and see if it works eventually. Maybe someone else has an idea.

         

         

Resources