Forum Discussion

casualbob's avatar
casualbob
Copper Contributor
Jan 30, 2020

Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC

Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in o...
alerts
office 365
security
BdCvC's avatar
BdCvC
Copper Contributor
Apr 02, 2020

casualbob 

I have started ignoring below sources, as I could not link them to password hacks. They also appeared for users I deleted ages ago, and the logs still say a successful UserLogin, so may be an internal error.

ID IP Description RegionName Country
30 40.101.126.245 Microsoft  Germany
31 40.101.71.117 Microsoft  Austria
32 40.101.124.253 Microsoft  Netherlands
33 40.101.100.133 Microsoft  United States
34 40.101.126.173 Microsoft  Finland
35 52.98.40.37 Microsoft  South Korea

The number of actual hacked accounts appear to become smaller in Q1 2020, we still see a few occasionally but not as much as Q3 and Q4 last year.

  • casualbob's avatar
    casualbob
    Copper Contributor
    Apr 02, 2020

    BdCvC 

     

    Cheers BdCvC,

     

    I have encountered these IPs and started ignorning them too. Added in case it helps anyone else.

     

    Dublin Ireland
    40.101.42.173
    40.101.96.101
    52.97.140.37
    52.97.140.45
    40.101.102.149

     

    Vienna Austria
    148.252.129.195
    40.101.71.61
    52.97.141.213

     

    Amsterdam Holland
    52.97.140.181
    40.101.88.221
    52.97.139.61
    52.97.135.157
    52.97.141.45
    40.101.90.85

    • BdCvC's avatar
      BdCvC
      Copper Contributor
      Sep 08, 2020

      casualbob 

      I am monitoring the audit logs of a few dozen Tenants via PowerShell and see ISP = Microsoft coming from more and more locations (as MS is implementing more IP's in their Data Centers). I have excluded Microsoft* ISP's from my Alerts, as these are likely just password hackers and the logs interpret/file them as successful Logins, in stead as Attempts.

      If they were truly actual logins, we would not be in business anymore 🙂

      https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

      We trap many real password breaches (users are users) this way (MFA seems too expensive here), but none were ever related to ROPC instances.

      Hope that helps, not a factual conclusion, just an interpretation of what we are experiencing.

    • synclan's avatar
      synclan
      Copper Contributor
      Jul 30, 2020

      casualbob 

       

      I have been seeing these as well around when you started seeing them.

       

      I'm on my third ticket with MS after being informed to ignore them - the frequency and accounts that are being sprayed have increased and now it is targeting specific accounts in my tenant.

       

      Anyone have more info on this?

      • casualbob's avatar
        casualbob
        Copper Contributor
        Aug 06, 2020

        synclan 

        Over 3,600 people have viewed my original post now so we're definitely not alone.

         

        Please update us if you have any further info.

         

        I've had 72 alerts in the last week on the handful of accounts I run and new MS IP addresses all the time so constantly having to update my rule to catch them.

         

Resources