Windows Live Custom Domains causes Entra account lockout

Disabling SMTP Auth in Exchange didn’t resolve the issue, as it didn’t revoke all user sessions.

The challenge is that Windows Live Custom Domain is a very old application. It doesn’t appear under Enterprise Apps, which means we cannot block sign-ins for it, and Conditional Access policies aren’t being applied.

As a workaround, I’ll try creating the app in our tenant via MS Graph, using the same AppID and DisplayName, just in case it helps.

I’ve also raised a support ticket with Microsoft and am waiting for their response. It seems we’re not the only ones facing this issue.

https://www.reddit.com/r/entra/comments/1nozmi8/password_spray_attack/

I've also seem multiple access attempts across multiple customers since 23rd Sep using this application. Ip addresses show US and Germany.  A popular source location is Schorfheide, Brandenburg, DE

IP address 2a07:db85:4b71:a22e:aa6a:7c77:2ed1:e75a although IP Geo Location shows it as in the UK from 3xK Tech GmbH (head office is the location in Germany) and https://scamalytics.com/ip/isp/3xk-tech-gmbhsays 14% of their web traffic is fraudulent. They run lots of anonymising VPNs/proxies.

I couldn't find anything in Conditional Access Policies that allows that specific app to be blocked, so suggestions welcome.

Sorry can't be of more help.

Cheers,

Mike

Hello,

We are encountering the exact same issue, and it is still under investigation.

The problem is that in this scenario, none of our Conditional Access Policies are evaluated, likely because it occurs before login. I attempted to set up an Authentication Policy in Exchange Online, but it did not resolve the issue. I plan to disable SMTP Authentication at the tenant level.

Regards,

M.