cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Strange new logins.

%3CLINGO-SUB%20id%3D%22lingo-sub-1053058%22%20slang%3D%22en-US%22%3ERe%3A%20Strange%20new%20logins.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1053058%22%20slang%3D%22en-US%22%3EI%20haven't%20seen%20anything%20about%20Windows%20tunneling%20traffic.%20Are%20you%20certain%20that%20person%20hasn't%20gotten%20a%20computer%20that%20might%20be%20used%20by%20family%20that%20is%20syncing%20in%20the%20background%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1052165%22%20slang%3D%22en-US%22%3EStrange%20new%20logins.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1052165%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20in%20AzureAD%20logs%20I%20have%20started%20to%20see%20attempted%20logins%20to%20various%20users%20across%20my%20organisation.%26nbsp%3B%20They%20all%20seem%20to%20have%20similar%20conditions%20such%20as%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Even%20though%20they%20are%20physically%20in%20Australia%20the%20logins%20occur%20from%20IP's%20in%20the%20UK%20e.g%20some%20IP's%20seen%20are%26nbsp%3B%3CSPAN%3E185.59.221.83%20(Hounslow%2C%20Greater%20London%2C%20GB)%20and%26nbsp%3B109.70.144.22%20(Needham%20Market%2C%20Suffolk%2C%20GB)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E2.%20They%20are%20all%20showing%20in%20device%20info%20as%20%22%3CSPAN%3EAzure%20AD%20registered%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20Application%20identified%20as%20%22Universal%20Store%20Native%20Client%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E4.%20Resource%20identified%26nbsp%3Bas%20%22Windows%20Store%20for%20Business%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESometime%20they%20also%20have%20the%20following%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20Same%20IP%20as%20the%20traffic%20for%26nbsp%3BApplication%20identified%20as%20%22Universal%20Store%20Native%20Client%22%20but%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20Application%20identified%20as%20%22Microsoft%20Application%20Command%20Service%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20Resource%20identified%26nbsp%3Bas%20%22Microsoft%20Activity%20Feed%20Service%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20can%20understand%20if%20maybe%20these%20are%20some%20kind%20of%20background%20services%20attempting%20to%20access%20MS%20resources%20and%20are%20suing%20the%20Login%20for%20the%20Office%20tenancy%20but%20why%20are%20they%20coming%20from%20an%20IP%20in%20the%20UK%20when%20I%20know%20the%20person%20is%20in%20Australia%20at%20the%20time.%26nbsp%3B%20Is%20Windows%20tunneling%20certain%20traffic%3F%26nbsp%3B%20What%20is%20going%20on%3F%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1052165%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
lfkentwell
Contributor

‎Dec 05 2019 10:20 PM - last edited on ‎Jul 24 2020 01:27 AM by

‎Dec 05 2019 10:20 PM - last edited on ‎Jul 24 2020 01:27 AM by

Strange new logins.

Recently in AzureAD logs I have started to see attempted logins to various users across my organisation.  They all seem to have similar conditions such as:

 

1. Even though they are physically in Australia the logins occur from IP's in the UK e.g some IP's seen are 185.59.221.83 (Hounslow, Greater London, GB) and 109.70.144.22 (Needham Market, Suffolk, GB)

2. They are all showing in device info as "Azure AD registered"

3. Application identified as "Universal Store Native Client"

4. Resource identified as "Windows Store for Business"

 

Sometime they also have the following:

 

1. Same IP as the traffic for Application identified as "Universal Store Native Client" but

2. Application identified as "Microsoft Application Command Service"

3. Resource identified as "Microsoft Activity Feed Service"

 

Now I can understand if maybe these are some kind of background services attempting to access MS resources and are suing the Login for the Office tenancy but why are they coming from an IP in the UK when I know the person is in Australia at the time.  Is Windows tunneling certain traffic?  What is going on????

Labels:
4,045 Views
0 Likes
1 Reply
Reply
1 Reply
Thijs Lecomte

‎Dec 06 2019 08:23 AM

‎Dec 06 2019 08:23 AM

Re: Strange new logins.

I haven't seen anything about Windows tunneling traffic. Are you certain that person hasn't gotten a computer that might be used by family that is syncing in the background?
0 Likes
Reply