Forum Discussion

LT2024's avatar
LT2024
Brass Contributor
Jan 14, 2020

MCAS IPv6 Recipient Cache False Positive Impossibile Traveller

Hi all,    More of an FYI in case anyone is searching. Started noticing some EXTRA (HA) Impossibile Traveller Alerts. Checked them out and found it was actually a Create Email MCAS Event in the US ...
Cloud App Security
FaustinRoman's avatar
FaustinRoman
Copper Contributor
Jan 20, 2020

LT2024more FYI 😉

We opened a ticket with MCAS and then with Exchange Online support in early Jan, that confirmed this is a "potential bug"...

Still waiting on a resolution, current recommendation was to add all these IPv6 as trusted. Since these IPs are not listed in the official ranges and constantly change we decided to wait for a proper resolution.

Requested also rationale for the REST client polling customer data with no luck so far

Quite disappointed with the MS support around this

LT2024's avatar
LT2024
Brass Contributor
Jan 20, 2020

FaustinRoman ,

 

I wonder if its always been doing this but has now moved this IPv6 and as you said it just doesn't know about it. I also wonder if these servers are actually in our local region but its just a 

 

I also wondering if this is part of the integration of the 'Outlook for iOS' and 'Outlook for Android' Apps. 

  • FaustinRoman's avatar
    FaustinRoman
    Copper Contributor
    Jan 22, 2020

    LT2024good questions!

    For us the service location generating the alert is in US while our Exchange data is hosted in a very different region.

    We requested rationale and details for this process as we are concerned about data sovereignty and privacy.

    • kismat's avatar
      kismat
      Brass Contributor
      Aug 04, 2020

      FaustinRoman Hi Faustion

       

      Did you ever get a reply to your question regarding data sovereignty and privacy? If so could I possibly ask if you would be kind enough to post the response in this thread please? I ask because we are in exactly the same situation where our data is hosted in a different region to the US as well and it would be great to try and know the reasoning behind alerts getting generated in the US.

       

      Many thanks in advance.

      • FaustinRoman's avatar
        FaustinRoman
        Copper Contributor
        Aug 04, 2020
        We got an answer, not sure if really addressed all concerns:
        "We're informed that the Microsoft Internal IP that's being logged by Microsoft Security Cloud Service/App was a service from the back-end that triggers the audit log events itself. That's why it happens every 00:00 UTC standard time when Microsoft generates an audit log.

        We're also informed that the IP was already whitelisted by the MCAS so this should no longer trigger alerts.

        As far as data accessed outside of the region, there were none as the event is only for triggering the audit service."

        You could ask why this event is not triggered from the same region... I leave that to you, let me know how far you get with MS support and if it was worth your time....
  • JKelly9's avatar
    JKelly9
    Copper Contributor
    Jan 22, 2020

    LT2024 FaustinRoman 

    We are seeing a near identical event generating impossible travel alerts.

    If you hear anything further please let us know.

    • FaustinRoman's avatar
      FaustinRoman
      Copper Contributor
      Jan 22, 2020

      JKelly9 LT2024 I will send this thread to the team looking after our tickets, hopefully they will reply here or speed-up the resolution.

      In any case, thanks for sharing! 😉

      • jurajl's avatar
        jurajl
        Copper Contributor
        Jun 10, 2020
        Ok hope this is resolved soon as we're getting the same issue

Resources