Forum Discussion

casualbob's avatar
casualbob
Copper Contributor
Jan 30, 2020

Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC

Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in o...
alerts
office 365
security
Aquilius's avatar
Aquilius
Copper Contributor
Nov 24, 2020

BdCvC 

So does this indicate an account compromise, malicious attempts to authenticate, or false positive? Apologies for the confusion.

BdCvC's avatar
BdCvC
Copper Contributor
Nov 24, 2020

Aquilius 

My personal opinion and experience is that useragent=BAV2ROPC from ISP=Microsoft IP addresses (only) are failed login attempts (including from deleted userids), but are still logged in the Azure Logs, and thus causing a false positive.

On several blogs I have read that even MS is recommending to ignore these. 

I have never encountered a hack based on these, but have seen hacks on everything else (not BAV2ROPC from MS IP's). I am monitoring every 4 hours across 30 Tenants, 2 -400 users varying across 5 countries

  • BdCvC's avatar
    BdCvC
    Copper Contributor
    Dec 03, 2020

    bobster95 We started setting up Authentication Policies to disable Basic Auth (ahead of MS MC204828 mid 2021), but came across the following challenges in doing so, it may help others in their attempt to secure their Tenants (and hopefully stop BAV2ROPC occurring/logging):

    Some admins were using PowerShell scripts and we had to exclude those individuals from the Policies. Also had to exclude users that were still using IMAP, POP3 and/or old phones configured with Exchange Activesync (in stead of the more secure O365 account) setup. And then there were the few using Office2013 (I know!) that could not upgrade as yet, and needed a Registry Hack or exclusion again.

     

     

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor
    Dec 02, 2020

    bobster95 my customer has a generic sales account that is showing up with this user agent. The unified audit log shows me that it has logged in successfully once a day, but no other events are recorded. Its weird

  • bobster95's avatar
    bobster95
    Copper Contributor
    Nov 30, 2020

    BdCvC 

     

    so like everyone, I have noticed a huge increase in these connections; however some of mine are not from just Microsoft IP addresses, but also from normal public IP addresses. When looking at the AAD logs, it can be seen that the client application linked to this useragent is IMAP/POP.

    However, I have seen a successful logon from a public IP using the BAV2ROPC useragent, where IMAP/POP was turned off.

    So Im wondering whether the connection was actually successful (both AAD and UAL show it was) and if it was, what client application could use it that wasn't using IMAP and POP

Resources