SOLVED

Detect compromised passwords

%3CLINGO-SUB%20id%3D%22lingo-sub-1201416%22%20slang%3D%22en-US%22%3ERe%3A%20Detect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1201416%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20are%20visible%20in%20the%20Sign%20in%20logs%2C%20not%20sure%20what%20the%20question%20is%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1202105%22%20slang%3D%22en-US%22%3ERe%3A%20Detect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1202105%22%20slang%3D%22en-US%22%3EHi%20Huw%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20are%20two%20types%20of%20log%20detections%20and%20they%E2%80%99re%20both%20migrated%20to%20MCAS%20(Cloud%20Apps%20Security)-%26amp%3Bgt%3B%20Alerts.%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Multiple%20logon%20failures%3A%20Which%20represent%20logins%20from%20different%20countries%20with%20brute%20force%20attacks.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Sign%20in%20from%20unfamiliar%20locations%3A%20These%20are%20legit%2C%20someone%20trying%20to%20access%20accounts%20using%20right%20password%20from%20unfamiliar%20locations.%3CBR%20%2F%3E%3CBR%20%2F%3ERecommendations%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20I%20highly%20recommend%20enabling%20Geo-Fencing%20to%20access%20your%20O365%20by%20location.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcloudbymoe.com%2Ff%2Fgeo-fencing-access-to-o365-using-conditional-access%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudbymoe.com%2Ff%2Fgeo-fencing-access-to-o365-using-conditional-access%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Use%20PowerBI%20to%20connect%20to%20MSFT%20Graph%20Security%20API%20to%20have%20dynamic%20rich%20reports%20that%20refresh%20automatically.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcloudbymoe.com%2Ff%2Fconnect-powerbi-to-microsoft-graph-security%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudbymoe.com%2Ff%2Fconnect-powerbi-to-microsoft-graph-security%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1202432%22%20slang%3D%22en-US%22%3ERe%3A%20Detect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1202432%22%20slang%3D%22en-US%22%3EI%20personally%20like%20to%20use%20Azure%20Sentinel%20for%20this.%3CBR%20%2F%3EYou%20could%20configure%20an%20extra%20rule%20in%20Azure%20Sentinel%20which%20detects%20certain%20Azure%20AD%20Sign-in%20Error%20codes%20and%20throw%20an%20alert%20on%20certain%20conditions%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1202523%22%20slang%3D%22en-US%22%3ERe%3A%20Detect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1202523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164165%22%20target%3D%22_blank%22%3E%40Huw%20Weatherhead%3C%2FA%3E%26nbsp%3Byou%20have%20quite%20a%20few%20options.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fgetting-started-with-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECloud%20security%20app%3A%20%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fgetting-started-with-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fgetting-started-with-cloud-app-security%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efrom%20there%20you%20will%20be%20able%20to%20automate%20rules%20and%20receive%20notifications%20via%20email%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20AD%20Sentinel%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-risky-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-risky-sign-ins%3C%2FA%3E%3C%2FP%3E%3CP%3Emore%20difficult%20and%20you%20have%20to%20learn%20how%20to%20use%20this%20tool%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EO365%20ATP%20with%20E5%20licence%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Falert-policies%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Falert-policies%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3EA%20very%20informative%20place%20to%20start%20looking%20if%20you%20have%20E5%20license%20in%20addition%20with%20E5%20you%20can%20also%20configure%20%22safe%20links%22%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fset-up-atp-safe-links-policies%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fset-up-atp-safe-links-policies%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20of%20course%20third%20party%20tool%20like%20Mimecast%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20_tim%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1203091%22%20slang%3D%22en-US%22%3ERe%3A%20Detect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1203091%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164165%22%20target%3D%22_blank%22%3E%40Huw%20Weatherhead%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%E2%80%99s%20a%20distinction%20here%20between%20identifying%2C%20and%20alerting%20on%20this%20type%20of%20activity.%20As%20the%20previous%20replies%20have%20indicated%20there%20are%20proactive%20alerting%20mechanisms%20in%20the%20form%20of%20MCAS%20%2F%20Sentinel%2C%20but%20clearly%20these%20may%20carry%20over%20a%20cost%20to%20you%20over%20more%20manual%20ways%20of%20identifying%20this%20sort%20of%20behaviour.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EAs%20Vasil%20suggested%2C%20at%20a%20base%20level%20you%20will%20see%20these%20reflected%20in%20the%20Azure%20AD%20sign-in%20logs%20as%20failed%20sign-ins%20(due%20to%20lack%20of%20MFA%2C%20as%20opposed%20to%20an%20incorrect%20password%20which%20you%20will%20be%20able%20to%20distinguish%20from%20the%20log%20data).%20Not%20as%20elegant%20as%20an%20alert%20based%20solution%20(which%20I%E2%80%99d%20recommend)%2C%20but%20it%20will%20allow%20you%20to%20identify%20those%20accounts%20where%20passwords%20have%20been%20compromised%20with%20a%20bit%20of%20leg%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EObviously%20this%20will%20be%20supplemented%20by%20Microsoft%E2%80%99s%20leaked%20credential%20detection%20service%20assuming%20you%20have%20AAD%20P1%20or%20P2%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKelvin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1204024%22%20slang%3D%22en-US%22%3ERe%3A%20Detect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1204024%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F204415%22%20target%3D%22_blank%22%3E%40Kelvin%20Papp%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20response%2C%20I%20guess%20my%20question%20is%20really%20what%20should%20i%20look%20for%20in%20the%20sign%20in%26nbsp%3B%20logs%20to%20spot%20a%20login%20attempt%20which%20presents%20a%20correct%20password%20but%20then%20fails%20the%20MFA%20check%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1204077%22%20slang%3D%22en-US%22%3ERe%3A%20Detect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1204077%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164165%22%20target%3D%22_blank%22%3E%40Huw%20Weatherhead%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou'll%20see%20a%20failure%20reason%20of%20%22other%22%20in%20the%20sign-in%20logs%2C%20as%20opposed%20to%20%22invalid%20username%20or%20password%22%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Invalid%20Password.jpg%22%20style%3D%22width%3A%20438px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F174509i227ED643E61C428A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Invalid%20Password.jpg%22%20alt%3D%22Invalid%20Password.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Eor...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Other.jpg%22%20style%3D%22width%3A%20223px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F174510i2E642C6DAA14A3F5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Other.jpg%22%20alt%3D%22Other.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20sign-in%20error%20code%20is%20also%20key%20-%20500121%20above%20relates%20to%20a%20failed%20strong%20authentication%20in%20the%20context%20of%20%22other%22%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22500121%20Error%20Code.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F174511i0B27ED02B93AAB02%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22500121%20Error%20Code.jpg%22%20alt%3D%22500121%20Error%20Code.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKelvin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200977%22%20slang%3D%22en-US%22%3EDetect%20compromised%20passwords%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200977%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20looking%20in%20the%20Sign-in%20view%20and%20seeing%20all%20the%20login%20attempts%20trying%20to%20guess%20passwords%20we%20implemented%20MFA%2C%20so%20feel%20a%20little%20more%20secure!%20However%20we%20still%20get%20phishing%20emails%20and%20users%20will%20be%20users%20so%20passwords%20are%20still%20going%20to%20get%20compromised%2C%20now%20any%20attempt%20to%20login%20should%20get%20blocked%20by%20MFA%20but%20i%20would%20like%20to%20be%20able%20to%20detect%20these%20and%20reset%20the%20users%20passwords%2C%20so%20any%20suggestions%20on%20how%20i%20would%20recognise%20a%20login%20attempt%20where%20a%20correct%20password%20was%20entered%20but%20it%20was%20blocked%20by%20MFA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3BHuw%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1200977%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

After looking in the Sign-in view and seeing all the login attempts trying to guess passwords we implemented MFA, so feel a little more secure! However we still get phishing emails and users will be users so passwords are still going to get compromised, now any attempt to login should get blocked by MFA but i would like to be able to detect these and reset the users passwords, so any suggestions on how i would recognise a login attempt where a correct password was entered but it was blocked by MFA?

 

Thanks

 Huw

7 Replies

Those are visible in the Sign in logs, not sure what the question is here?

Hi Huw,

There are two types of log detections and they’re both migrated to MCAS (Cloud Apps Security)-> Alerts.

1. Multiple logon failures: Which represent logins from different countries with brute force attacks.

2. Sign in from unfamiliar locations: These are legit, someone trying to access accounts using right password from unfamiliar locations.

Recommendations

1. I highly recommend enabling Geo-Fencing to access your O365 by location.

https://cloudbymoe.com/f/geo-fencing-access-to-o365-using-conditional-access


2. Use PowerBI to connect to MSFT Graph Security API to have dynamic rich reports that refresh automatically.

https://cloudbymoe.com/f/connect-powerbi-to-microsoft-graph-security

Hope this helps!
Moe
I personally like to use Azure Sentinel for this.
You could configure an extra rule in Azure Sentinel which detects certain Azure AD Sign-in Error codes and throw an alert on certain conditions

@Huw Weatherhead you have quite a few options. 

 

Cloud security app:

https://docs.microsoft.com/en-us/cloud-app-security/getting-started-with-cloud-app-security 

from there you will be able to automate rules and receive notifications via email

 

Azure AD Sentinel

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risky-sign-ins

more difficult and you have to learn how to use this tool

 

O365 ATP with E5 licence

https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide

A very informative place to start looking if you have E5 license in addition with E5 you can also configure "safe links" 

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-links-po...

 

and of course third party tool like Mimecast :) 

 

Regards _tim

 

Hi @Huw Weatherhead,

 

There’s a distinction here between identifying, and alerting on this type of activity. As the previous replies have indicated there are proactive alerting mechanisms in the form of MCAS / Sentinel, but clearly these may carry over a cost to you over more manual ways of identifying this sort of behaviour. 

As Vasil suggested, at a base level you will see these reflected in the Azure AD sign-in logs as failed sign-ins (due to lack of MFA, as opposed to an incorrect password which you will be able to distinguish from the log data). Not as elegant as an alert based solution (which I’d recommend), but it will allow you to identify those accounts where passwords have been compromised with a bit of leg work.

 

Obviously this will be supplemented by Microsoft’s leaked credential detection service assuming you have AAD P1 or P2 :)

 

Hope this helps,

 

Kelvin

@Kelvin Papp 

Thanks for your response, I guess my question is really what should i look for in the sign in  logs to spot a login attempt which presents a correct password but then fails the MFA check?

best response confirmed by Huw Weatherhead (Occasional Contributor)
Solution

@Huw Weatherhead,

 

You'll see a failure reason of "other" in the sign-in logs, as opposed to "invalid username or password":

 

Invalid Password.jpg

or...

 

Other.jpg

 

The sign-in error code is also key - 500121 above relates to a failed strong authentication in the context of "other":

 

500121 Error Code.jpg

 

Regards,

 

Kelvin