SOLVED
Home

Azure Active DIrectory - Regional Blocking

%3CLINGO-SUB%20id%3D%22lingo-sub-76183%22%20slang%3D%22en-US%22%3EAzure%20Active%20DIrectory%20-%20Regional%20Blocking%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76183%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20organization%20has%20been%20stormed%20with%20spear%20phishing%20attempts%20over%20the%20past%20month.%20One%20of%20them%20hit%20my%20CEO%20and%20was%20successful.%20Imediately%20after%20the%20successful%20PHISH%20there%20were%20several%20things%20that%20happend%20to%20his%20Office365%20Mailbox%20through%20the%20web%20portal%20(rules%20etc..)%20.%20%26nbsp%3B%20This%20is%20not%20the%20first%20time%20this%20has%20happened%20and%20each%20time%20through%20remediation%20it%20was%20determined%20the%20access%20was%20coming%20from%20Eastern%20Europe.%20I%20was%20wondering%20if%20there%20was%20a%20way%20to%20prevent%20logins%20from%20specific%20regions%20that%20you%20dont%20do%20business%20in%20and%20would%20never%20have%20users%20travel%20to%20that%20needed%20access%20to%20thier%20accounts.%20I%20have%20a%20few%20Barracuda%20products%20protecting%20some%20web%20apps%20we%20host%20and%20this%20is%20a%20firewall%20feature..%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ejust%20checking.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20so%20much%2C%3C%2FP%3E%3CP%3EAndrew%20Holmes%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-76183%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Essentials%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76445%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20DIrectory%20-%20Regional%20Blocking%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76445%22%20slang%3D%22en-US%22%3EThank%20you%20so%20much.%20Yes%20this%20helps%20very%20much.%20This%20flexibility%20along%20with%20the%20ATP%20capabilities%20will%20be%20a%20great%20toolkit%20to%20fight%20this.%20Appreciate%20everyone's%20help.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76320%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20DIrectory%20-%20Regional%20Blocking%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76320%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Andrew%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20suggest%20that%20you%20look%20into%26nbsp%3BConditional%20Access%20as%20a%20feature%20Azure%20Active%20Directory%20Premium%20(licensing%20required).%20One%20of%20the%20features%20it%20has%20is%20setting%20up%20a%20trigger%20based%20on%20the%20actor%20account%20geographic%20location.%20If%20the%20account%20is%20not%20signing%20on%20to%20a%20trusted%20network%2C%20the%20trigger%20can%20be%20set%20to%20block%20access%20as%20part%20of%20a%20block%20control.%20You%20will%20need%20to%20supply%20a%20list%20of%20CIDR%20IP%20ranges%20that%20are%20trusted.%20I%20hope%20this%20helps.%20-%20Josh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76207%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20DIrectory%20-%20Regional%20Blocking%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76207%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Andrew%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20Office%20365%20E3%20and%20Windows%20ATP%20will%20help%20you%20on%20this%20kind%20of%20procedures%2C%20if%20you%20need%20more%20help%20please%20tell.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76203%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20DIrectory%20-%20Regional%20Blocking%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76203%22%20slang%3D%22en-US%22%3ENuno%2C%20thank%20you%20for%20your%20response.%20We%20are%20a%20non-profit%20and%20we%20have%20an%20E3.%20I%20am%20in%20the%20portal%20now%20and%20see%20the%20E5%20upgrade.%20I%20will%20gladly%20do%20it%20if%20I%20can%20get%20this%20type%20of%20feature..%20thanks%20so%20much.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76200%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20DIrectory%20-%20Regional%20Blocking%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76200%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Andrew%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20Office%20365%20licences%20do%20you%20have%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20have%20in%20E5%26nbsp%3BAdvanced%20Threat%20Protection%20and%20Windows%20ATP%20that%20can%20help%20you%20in%20this%20kind%20of%20scenarios.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Andrew Holmes
New Contributor

My organization has been stormed with spear phishing attempts over the past month. One of them hit my CEO and was successful. Imediately after the successful PHISH there were several things that happend to his Office365 Mailbox through the web portal (rules etc..) .   This is not the first time this has happened and each time through remediation it was determined the access was coming from Eastern Europe. I was wondering if there was a way to prevent logins from specific regions that you dont do business in and would never have users travel to that needed access to thier accounts. I have a few Barracuda products protecting some web apps we host and this is a firewall feature.. 

 

just checking. 

 

thanks so much,

Andrew Holmes

5 Replies
Highlighted

Hi Andrew,

 

What Office 365 licences do you have ?

 

You have in E5 Advanced Threat Protection and Windows ATP that can help you in this kind of scenarios.

Nuno, thank you for your response. We are a non-profit and we have an E3. I am in the portal now and see the E5 upgrade. I will gladly do it if I can get this type of feature.. thanks so much.

Hi Andrew,

 

With Office 365 E3 and Windows ATP will help you on this kind of procedures, if you need more help please tell. 

Solution

Hi Andrew,

 

I would suggest that you look into Conditional Access as a feature Azure Active Directory Premium (licensing required). One of the features it has is setting up a trigger based on the actor account geographic location. If the account is not signing on to a trusted network, the trigger can be set to block access as part of a block control. You will need to supply a list of CIDR IP ranges that are trusted. I hope this helps. - Josh

Thank you so much. Yes this helps very much. This flexibility along with the ATP capabilities will be a great toolkit to fight this. Appreciate everyone's help.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies