Forum Discussion
Solved
Detect compromised passwords
After looking in the Sign-in view and seeing all the login attempts trying to guess passwords we implemented MFA, so feel a little more secure! However we still get phishing emails and users will be ...
You'll see a failure reason of "other" in the sign-in logs, as opposed to "invalid username or password":
or...
The sign-in error code is also key - 500121 above relates to a failed strong authentication in the context of "other":
Regards,
Kelvin
Hi Huw,
There are two types of log detections and they’re both migrated to MCAS (Cloud Apps Security)-> Alerts.
1. Multiple logon failures: Which represent logins from different countries with brute force attacks.
2. Sign in from unfamiliar locations: These are legit, someone trying to access accounts using right password from unfamiliar locations.
Recommendations
1. I highly recommend enabling Geo-Fencing to access your O365 by location.
https://cloudbymoe.com/f/geo-fencing-access-to-o365-using-conditional-access
2. Use PowerBI to connect to MSFT Graph Security API to have dynamic rich reports that refresh automatically.
https://cloudbymoe.com/f/connect-powerbi-to-microsoft-graph-security
Hope this helps!
Moe
There are two types of log detections and they’re both migrated to MCAS (Cloud Apps Security)-> Alerts.
1. Multiple logon failures: Which represent logins from different countries with brute force attacks.
2. Sign in from unfamiliar locations: These are legit, someone trying to access accounts using right password from unfamiliar locations.
Recommendations
1. I highly recommend enabling Geo-Fencing to access your O365 by location.
https://cloudbymoe.com/f/geo-fencing-access-to-o365-using-conditional-access
2. Use PowerBI to connect to MSFT Graph Security API to have dynamic rich reports that refresh automatically.
https://cloudbymoe.com/f/connect-powerbi-to-microsoft-graph-security
Hope this helps!
Moe