Forum Discussion

Peter Nicholson's avatar
Peter Nicholson
Copper Contributor
Sep 11, 2017
Solved

Users with leaked credentials

Can anyone tell me the logic used in this report? We have a situation where I need to prove one of our users performed a certain action as listed in our 365 audit logs. An obvious argument is that if...
  • Cian Allner's avatar
    Cian Allner
    Sep 11, 2017

    Not sure it will help but here is the official explanation of leaked credentials and how Microsoft matches one of these users:

     

    "When cybercriminals compromise valid passwords of legitimate users, the criminals often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market. The Microsoft leaked credentials service acquires username / password pairs by monitoring public and dark web sites and by working with:

     

    • Researchers
    • Law enforcement
    • Security teams at Microsoft
    • Other trusted sources

    When the service acquires username / password pairs, they are checked against AAD users' current valid credentials. When a match is found, it means that a user's password has been compromised, and a leaked credentials risk event is created."

     

    This is from https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events by the way.  This isn't foolproof, it's just what Microsoft can acquire and potentially match.

Cian Allner's avatar
Cian Allner
Silver Contributor
Sep 11, 2017

Not sure it will help but here is the official explanation of leaked credentials and how Microsoft matches one of these users:

 

"When cybercriminals compromise valid passwords of legitimate users, the criminals often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market. The Microsoft leaked credentials service acquires username / password pairs by monitoring public and dark web sites and by working with:

 

  • Researchers
  • Law enforcement
  • Security teams at Microsoft
  • Other trusted sources

When the service acquires username / password pairs, they are checked against AAD users' current valid credentials. When a match is found, it means that a user's password has been compromised, and a leaked credentials risk event is created."

 

This is from https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events by the way.  This isn't foolproof, it's just what Microsoft can acquire and potentially match.

  • Jon_I999's avatar
    Jon_I999
    Copper Contributor
    Jan 11, 2019

    In this statement

     

    "When the service acquires username / password pairs, they are checked against AAD users' current valid credentials. When a match is found, it means that a user's password has been compromised, and a leaked credentials risk event is created."

     

    Does this mean that they are actually comparing passwords / hashes of those found with those in an organisations AD, or are they just matching the username with ones found on lists, and from that deciding the creds are blown?

     

    If they are accessing an organisations Azure password hashes that sounds bad.  If they are not then it sounds like a pretty basic service?

Resources