Forum Discussion
MCAS Log on Event
Last night I had a Sentinel alert for logon from IP address associated with password spray. Alert was triggered from threat indicator matching IP address. OK no big deal, wasn't a password spray. In tracking this down I see the user is external in MCAS. I find no files shared with the user, no teams message activity, no email to the user.... nothing. My question is, what could the logon event be from?
JeffR_CNY Hi, the external user may have authorized a third-party application to interact with Microsoft 365 services. This application could update tokens periodically, without requiring direct user intervention, causing access events.
Have you received only 1 alert and had no other activity? It is possible that an automated service is using the external user's account to authenticate and access resources.
As verifications I would do:
-Check OAuth Permissions; check the external user's OAuth permissions in your environment. Look for any third-party applications that have permission to access the organization's data on behalf of the user.
-Check External Apps; if the external user has interacted with a third-party app, audit the app's activities and permissions.As operations:
-Token revocation; if you suspect that the account or token is compromised, consider revoking the OAuth token and request a new authentication for the user.IP Address Monitoring; continue to monitor the IP in question to see if it generates any further alerts or suspicious activity.
