Forum Discussion
Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
I have started ignoring below sources, as I could not link them to password hacks. They also appeared for users I deleted ages ago, and the logs still say a successful UserLogin, so may be an internal error.
ID IP Description RegionName Country
30 40.101.126.245 Microsoft Germany
31 40.101.71.117 Microsoft Austria
32 40.101.124.253 Microsoft Netherlands
33 40.101.100.133 Microsoft United States
34 40.101.126.173 Microsoft Finland
35 52.98.40.37 Microsoft South Korea
The number of actual hacked accounts appear to become smaller in Q1 2020, we still see a few occasionally but not as much as Q3 and Q4 last year.
Cheers BdCvC,
I have encountered these IPs and started ignorning them too. Added in case it helps anyone else.
Dublin Ireland
40.101.42.173
40.101.96.101
52.97.140.37
52.97.140.45
40.101.102.149
Vienna Austria
148.252.129.195
40.101.71.61
52.97.141.213
Amsterdam Holland
52.97.140.181
40.101.88.221
52.97.139.61
52.97.135.157
52.97.141.45
40.101.90.85
I am monitoring the audit logs of a few dozen Tenants via PowerShell and see ISP = Microsoft coming from more and more locations (as MS is implementing more IP's in their Data Centers). I have excluded Microsoft* ISP's from my Alerts, as these are likely just password hackers and the logs interpret/file them as successful Logins, in stead as Attempts.
If they were truly actual logins, we would not be in business anymore 🙂
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
We trap many real password breaches (users are users) this way (MFA seems too expensive here), but none were ever related to ROPC instances.
Hope that helps, not a factual conclusion, just an interpretation of what we are experiencing.
I have been seeing these as well around when you started seeing them.
I'm on my third ticket with MS after being informed to ignore them - the frequency and accounts that are being sprayed have increased and now it is targeting specific accounts in my tenant.
Anyone have more info on this?
Over 3,600 people have viewed my original post now so we're definitely not alone.
Please update us if you have any further info.
I've had 72 alerts in the last week on the handful of accounts I run and new MS IP addresses all the time so constantly having to update my rule to catch them.
I'm going to echo what others have said in this thread so far.
In my tickets with MS, they have told me to ignore these, although I don't think that's the right move.
It *seems* to be a password spray attempt, likely a dictionary based attack.ROPC = Resource Owner Password Credentials
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
BAV = Business Apps v2
I have switched from monitoring successful logins in the audit logs to monitoring the Azure based logins per MS's suggestion as the audit logs can be difficult to read with a bunch of these attempts cluttering the logs.
The only option presented to me to mitigate this was to this enable conditional access which will not work as some of these attempts are stateside. I don't want to lock down logins to the IP's for each specific user as that will be pretty difficult to manage with mobile usage.
All I can tell is that these attempts are successfully getting a token, which does not necessarily indicate a compromise, just that the attacker was able to authenticate to the service.
It is concerning to me that this is happening, that it is coming from MS based IP's, and that in the numerous tickets I have made, it's been brushed off.
Hopefully MS will address this, we are really relying here on the quality of this service and the strength of the user password, which makes me pretty uncomfortable.