Forum Discussion

casualbob's avatar
casualbob
Copper Contributor
Jan 30, 2020

Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC

Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in o...
alerts
office 365
security
Aquilius's avatar
Aquilius
Copper Contributor
Nov 24, 2020

BdCvC 

So does this indicate an account compromise, malicious attempts to authenticate, or false positive? Apologies for the confusion.

casualbob's avatar
casualbob
Copper Contributor
Nov 24, 2020

Aquilius 

 

Hi there.

 

To be honest I still don't know for certain.

 

It appears it's ok, and MS told me it was ok, but I still don't know why it's happening.

 

If MS could chime in that'd be great.

  • todd_maxey's avatar
    todd_maxey
    Copper Contributor
    Jul 10, 2021
    The bad actors are hitting you probably via Exchange On Line (EXO) basic authentication facilities or its coming from a VM in aa Azure tenant. Its remarkable easy to get a cloud resource on AWS, Azure, etc.. to launch your attacks.

    First - Please report it - https://msrc.microsoft.com/report/abuse

    You can use the O365 Admin Center to disabled basic auth.
    https://admin.microsoft.com
    Goto Settings/Org settings/Modern Authentication and uncheck all the basic auth stuff. This will break old versions of Outlook and other older mail apps on phones and such.

    Also, get at least P1 licensing and use conditional access policies to MFA everyone. And don't use SMS for MFA. Use the Microsoft Authenticator app which is much more secure.

    Any user that is being attacked should be aware in case a bad actor does get a good password the end user does not need to be approving MFA for something they did not attempt.

    Train you users. Test you users. You users are part of your solution.


  • sspencer935's avatar
    sspencer935
    Copper Contributor
    Dec 06, 2020

     

    No more threats so far. Anyway, you see them coming in on "clientAppUsed": "IMAP4", so I suspect the previous fix has resolved it. I will keep you updated. 

  • sspencer935's avatar
    sspencer935
    Copper Contributor
    Dec 06, 2020

    Good thing I had mfa, so far I believe this is definitely a password brute force. Besides monitoring an setting up conditional access, I blocked OWA, legacy exchange/outlook on the Exchange server itself. 

     

    --https://docs.microsoft.com/en-us/Exchange/clients/outlook-on-the-web/mailbox-access?view=exchserver-2019

     

    Monitoring to make sure it has been resolved. Last attack 12-6 15:22. I initially blocked OWA at the AD side yesterday and because Teams and all these other apps depend on OWA I was locked out of my mobile apps. I had to go back and block it at the Exchange server this morning.  

     

    I definitely think that the password was compromised, and I had MFA so there was no breach, but this morning since the password was change, the failed MFA error was no longer there on new attacks. Now it is saying that password or username is incorrect, account has been locked. 

     

    Now let's make sure it is stopped now that OWA and legacy is blocked.

  • sspencer935's avatar
    sspencer935
    Copper Contributor
    Dec 05, 2020

    I haven't finished investigating yet, but none of the login attempts I have found were successful, however, I noticed they were trying MFA from several different phone numbers. 

     

    I am treating this as an active attack, seems they are trying to login to exchange. I have received phishing emails attempting to spoof my email recently as well. Not sure if they are related. 

     

    Mine also says 

    "authenticationMethodDetail": "Password in the cloud",
     
    authenticationMethodDetailStringDetails about the authentication method used to perform this authentication step. For example, phone number (for SMS and voice), device name (for Authenticator app), and password source (e.g. cloud, AD FS, PTA, PHS).

     

     

    Other information to help prevent these attempts:

    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

     

    You can query the Graph API for more information. 

     

    https://developer.microsoft.com/en-us/graph/graph-explorer

    https://graph.microsoft.com/beta/auditLogs/signIns

     

     

  • sspencer935's avatar
    sspencer935
    Copper Contributor
    Dec 05, 2020

    I haven't finished investigating yet, but none of the login attempts I have found were successful, however, I noticed they were trying MFA from several different phone numbers. 

     

    I am treating this as an active attack, seems they are trying to login to exchange. I have received phishing emails attempting to spoof my email recently as well. Not sure if they are related. 

     

    The way I am solving this is directing cloud traffic through my onprem VPN concentrators. Seems silly to have to come through the network and leave, but that way you can whitelist the traffic that is allowed or use a cloud gateway. Either way it will cost money.

    Other information to help prevent these attempts:

    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

     

    You can query the Graph API for more information. 

     

    https://developer.microsoft.com/en-us/graph/graph-explorer

    https://graph.microsoft.com/beta/auditLogs/signIns

     

     

Resources