Forum Discussion

casualbob's avatar
casualbob
Copper Contributor
Jan 30, 2020

Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC

Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in o...
alerts
office 365
security
Alicia_Shelley's avatar
Alicia_Shelley
Copper Contributor
Nov 12, 2020
20.190.128.80 Microsoft San Antonio, TX as well.
BdCvC's avatar
BdCvC
Copper Contributor
Nov 12, 2020

Alicia_Shelley 

Interesting new development, UnifiedAuditLogs in Europe have failed to update UserLoggedin records since around 25/11/2020, logged a case with MS, have seen AZ auditlogs re-feed old data to unifiedauditlogs but username is not the email address but the SID, so this looks like they have a problem and a bug. I added a P1 lic to one of my 12 Tenants and checking Get-AzureADAuditSignInLogs in stead, will let you know if this is more accurate regarding the incorrectly recorded MS sites.

  • BdCvC's avatar
    BdCvC
    Copper Contributor
    Nov 24, 2020

    BdCvC 

    MS has fixed the Azure log feed into UnifiedAuditLogs last week, which gave me the opportunity to look at the Azure logs (the source logs) in depth again, which confirmed that the False Positive is already present in the Azure UserLogin logs. Unfortunately the Azure logs content itself proves no better, even worse as the (MS internal) IP lookup does not even identify/log their own datacentres (so you have something to filter on). So I am back to extracting the UnifiedAuditLog, running it by an IP lookup and ignoring ISP=Microsoft Data Centres, as these are all false positives. Have managed to catch several hacked accounts this way, if customers would only pay the eu5 extra for P1, so we can use MFA (and Registered Locations) and the likes as prevention is always better than detection after the hack has already taken place.

    • Aquilius's avatar
      Aquilius
      Copper Contributor
      Nov 24, 2020

      BdCvC 

      So does this indicate an account compromise, malicious attempts to authenticate, or false positive? Apologies for the confusion.

      • BdCvC's avatar
        BdCvC
        Copper Contributor
        Nov 24, 2020

        Aquilius 

        My personal opinion and experience is that useragent=BAV2ROPC from ISP=Microsoft IP addresses (only) are failed login attempts (including from deleted userids), but are still logged in the Azure Logs, and thus causing a false positive.

        On several blogs I have read that even MS is recommending to ignore these. 

        I have never encountered a hack based on these, but have seen hacks on everything else (not BAV2ROPC from MS IP's). I am monitoring every 4 hours across 30 Tenants, 2 -400 users varying across 5 countries

Resources