SOLVED
Home

Dealing with high number of failed log on attempts from foreign countries utilizing Exchange Online

%3CLINGO-SUB%20id%3D%22lingo-sub-91325%22%20slang%3D%22en-US%22%3EDealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-91325%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20noted%20a%20drastic%20increase%20in%20the%20number%20of%20failed%20log%20on%20attempts%20coming%20from%20countries%20outside%20the%20US%20within%20ADFS%2C%20obviously%20attempting%20to%20log%20in%20through%20Exchange%20Online.%3C%2FP%3E%3CP%3E(When%20reviewing%20event%20id%20411%20specifically%26nbsp%3Bwithin%20the%20security%20logs%20of%20the%20ADFS%20servers%20you%20will%20note%20two%26nbsp%3BIP%20addresses%20%22OriginIPAddress%2CMicrosoftExchangeOnlineIP%22%3C%2FP%3E%3CP%3EWe%20are%20running%20a%20hybrid%20environment%20with%20ADFS%203.0%20on%202012%20r2%20and%20O365%2C%20AD%26nbsp%3Bdomain%20is%20on%202008%20r2.%3C%2FP%3E%3CP%3EWe%20have%20a%20user%20base%20of%20approximately%20700%20users%3C%2FP%3E%3CP%3EThis%20presents%20a%20couple%20of%26nbsp%3Bobvious%20issues.%3C%2FP%3E%3CP%3EEnabled%20advanced%20event%20logging%20for%20ADFS%20and%20processes%2C%20so%20I%20can%20see%20the%20IP%20addresses%20of%20logins%20through%20ADFS%3C%2FP%3E%3CP%3EEvery%20day%2C%20I%20am%20processing%20through%20all%20of%20the%20411%20events%20within%20the%20security%20event%20logs%20and%20comsolidating%20it%20into%20a%20spreadsheet%20for%20easier%20consumption.%20(not%20a%20pretty%20process%20as%20I%20haven't%20completely%20fine%20tuned%20it%20yet)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20some%20of%20the%20things%20I%20am%20seeing%20for%20all%20of%20the%20foreign%20IP%20addresses%3C%2FP%3E%3CP%3EThey%20are%20making%20attempts%20at%20approximately%26nbsp%3B400%20account%20names.%3C%2FP%3E%3CP%3EThe%20majority%20of%20attempts%20are%20performed%20in%20alphabetical%20order%20with%20occasional%20deviations%3C%2FP%3E%3CP%3EThey%20are%20rate%20limiting%20what%20they%20are%20trying%20for%20the%20most%20part%20to%20only%204%20or%205%20attempts%20per%20account%20per%20day%20with%20occasional%20deviations%20which%20wind%20up%20triggering%20the%20extranet%20lockout%20for%20a%20given%20user.%3C%2FP%3E%3CP%3EMicrosoft's%20online%20logging%20and%20monitoring%20of%20failures%26nbsp%3Bsuch%20as%20these%20is%20pretty%20much%20worthless%20or%20outright%20non-existent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELimitations%20of%20my%20environment%3C%2FP%3E%3CP%3EWe%20can't%20enable%20MFA%20across%20the%20board%20as%20the%20company%20wont%20supply%20mobile%20devices%20across%20the%20board%20and%20they%20find%20the%20cost%20for%20tokens%20too%20prohibitive.%3C%2FP%3E%3CP%3EHave%20contemplated%20blocking%20regional%20IP%20addresses%20but%20this%20presents%20it's%20own%20problems.%3C%2FP%3E%3CP%3EOne%2C%20I%20can't%20block%20it%20at%20the%20firewall%20fronting%20the%20ADFS%20WAP%20as%20they%20are%20utilizing%20basic%20auth%20through%20Exchange%20Online%20so%20all%26nbsp%3Bwe%20would%20see%20at%20the%20firewall%20is%20the%20Exchange%20Online%20IP%20addresses.%3C%2FP%3E%3CP%3ETwo%2C%20can't%20enable%20conditional%20access%20due%20to%20it%20is%20design%20to%20be%20inclusive%20not%20exclusive%2C%20where%20the%20IPs%20specified%20are%20for%20known%20networks%20good%20networks.%20We%20have%20too%20many%20remote%20locations%20that%20are%20on%20some%20form%20of%20dynamic%20connection.%3C%2FP%3E%3CP%3EThree%2C%20I%20can't%20really%20block%20non-US%20ips%20as%20we%20routinely%20have%20execs%20traveling.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20for%20the%20long%20winded%20description.%20Here%20is%20where%20the%20questions%20come%20in.%3C%2FP%3E%3CP%3EI%20am%20hunting%20for%20ideas%3C%2FP%3E%3CP%3EFirst%2C%20any%20ideas%20on%20how%20to%20mitigate%20this%20other%20than%20what%20was%20already%20provided%3F%3C%2FP%3E%3CP%3ESecond%2C%20any%20one%20found%20a%20way%20to%20determine%20which%20protocols%20these%20authentication%20attempts%20are%20being%20made%20against%20Exchange%20Online%3F%20It%20logs%20client%20type%20for%20sucesses%20which%20allows%20you%20to%20do%20some%20tracking%20of%20client%20type%20but%20it%20does%20not%20provide%20any%20form%20of%20reporting%20or%20logging%20that%20I%20have%20found%20for%20failed%20attempts%20and%20there%20doesn't%20appear%20to%20be%20anything%20I%20can%20extract%20from%20AD%20FS%20logs.%3C%2FP%3E%3CP%3EThree%2C%20anyone%20found%20a%20way%20to%20fully%20monitor%20the%20Azure%20AD%20sign-ins%3F%20MS%20has%20their%20reporting%20and%20the%20online%20logging%20but%20I%20would%20like%20to%20have%20something%20monitor%20the%20Azure%20AD%20sign-ins%20for%20sucessful%20failures%20from%20foreign%20IP%20addresses%20and%20notify%20on%20these%20events.%20We%20don't%20have%20that%20many%20people%20that%20travel%20outside%20the%20country%20so%20it's%20easy%20to%20correlate%20to%20a%20given%20known%20user%20traveling.%3C%2FP%3E%3CP%3EFour%2C%20anyone%20else%20seeing%20something%20along%20these%20lines%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20time%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-91325%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-306175%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306175%22%20slang%3D%22en-US%22%3EHi%20eugene%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ethanks%20for%20the%20detailed%20description%20%2C%20i%20will%20look%20into%20testing%20this%20for%20a%20cpl%20of%20affected%20users%20and%20then%20get%20it%20rolled%20out%20across%20the%20domain%20if%20all%20good..%20we%20have%20managed%20to%20stay%20off%20some%20of%20the%20lockouts%20using%20the%20threshold%20settings%20%2C%20but%20still%20some%20get%20locked%20every%20so%20often%20%2C%20so%20this%20could%20do%20the%20trick%20for%20us%20...%3CBR%20%2F%3Ethanks%20again%20and%20will%20update%20in%20the%20new%20year%20as%20to%20how%20it%20all%20goes%3CBR%20%2F%3Epaddi%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-305867%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-305867%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20if%20any%20one%20has%20seen%20this.%20There%20is%20a%20new%20tool%20for%20your%20basket.%20This%20has%20helped%20us%20greatly.%3C%2FP%3E%3CP%3EA%20couple%20of%20months%20ago%20Microsoft%20released%20to%20preview%20and%20then%20has%20pushed%20forward%26nbsp%3B'Authentication%20Policies'.%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EThese%20authentication%20policies%20are%20processed%20prior%20to%20being%20passed%20to%20AAD%20or%20ADFS%20saving%20the%20failed%20login%20against%20the%20account%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3EAnd%20yes%20this%20can%20be%20applied%20to%20individual%20or%20small%20groups%20to%20test%20first%20(just%20remember%20to%20wait%20to%20assure%20the%20policy%20is%20applied%20to%20the%20user%20in%20question%20before%20calling%20it%20good%20or%20not)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20%22%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%3C%2FA%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasic%20outline%3C%2FP%3E%3CP%3EAssure%20you%20have%20modern%20authentication%20enabled%20for%20your%20organization%3C%2FP%3E%3CP%3ECreate%20an%20authentication%20policy%20blocking%20basic%20auth%20for%20pop%2C%20imap%20and%20such%20(The%20biggest%20one%20we%20were%20seeing%20was%20imap)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20any%20user%20or%20service%20accounts%20that%20requires%20basic%20auth%20for%20any%20of%20the%20protocols%20you%20are%20disabling%20in%20the%20previous%20policy%2C%20create%20a%20second%20policy%20allowing%20the%20protocols%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20any%20users%20that%20utilizing%20pop%2C%20imap%20or%20any%20other%20method%20you%20determine%20don't%20need%20basic%20authentication%2C%20get%20them%20migrated%20to%20some%20other%20form%20of%20client%20app%20or%20access%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20are%20any%20accounts%20that%20absolutely%20require%20basic%20auth%20(ie%20we%20have%20a%20ticketing%20system%20that%20utilizes%20imap%20with%20basic%20auth%20to%20connect%20to%20a%20specific%20mailbox)%2C%20make%20note%20of%20them%20to%20exclude%20in%20your%20query%20for%20users%20to%20apply%20your%20restricted%20policy%20to%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuery%20for%20and%20apply%20unrestricted%20policy%20to%20service%20account%20or%20user%20that%20requires%20the%20basic%20auth%20for%20the%20protocols%20disabled%20by%20the%20restricted%20policy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuery%20for%20and%20apply%20restricted%20policy%20to%20the%20majority%20of%20your%20users%3C%2FP%3E%3CP%3EApply%20restricted%20policy%20as%20global%20default%20(for%20new%20users)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEither%20wait%2024%20hours%20for%20it%20to%20be%20applied%20or%20touch%20a%20user%20property%20on%20the%20user%20and%20wait%20approximately%2030%20minutes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%2C%20the%20below%20worked%20for%20me.%20Make%20sure%20you%20research%20and%20adjust%20for%20your%20own%20needs.%20I%20take%20no%20responsibility%20for%20what%20you%20do%20to%20your%20environment.%20These%20are%20only%20examples%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExchange%20Powershell%20commands%20used%3C%2FP%3E%3CP%3Econnect-exopssession%20-UserPrincipalName%20%7Bexchangeonline%20admin%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-AuthenticationPolicy%20-Name%20%22Block_Basic_Auth_Selective%E2%80%9D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7BBlocks%20basic%20auth%20for%20imap%2C%20pop%2C%20smtp%20but%20allows%20for%20things%20like%20activesync%7D%3CBR%20%2F%3E(Adjust%20according%20to%20your%20needs)%3CBR%20%2F%3ESet-AuthenticationPolicy%20-Identity%20%E2%80%9CBlock_Basic_Auth_Selective%E2%80%9D%20-AllowBasicAuthActiveSync%20-AllowBasicAuthAutodiscover%20-AllowBasicAuthImap%3A%24false%20-AllowBasicAuthMapi%20-AllowBasicAuthOfflineAddressBook%20-AllowBasicAuthOutlookService%3A%24false%20-AllowBasicAuthPop%3A%24false%20-AllowBasicAuthReportingWebServices%20-AllowBasicAuthRest%20-AllowBasicAuthRpc%20-AllowBasicAuthSmtp%3A%24false%20-AllowBasicAuthWebServices%20-AllowBasicAuthPowerShell%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-AuthenticationPolicy%20%22Allow_Basic_Auth%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Adjust%20according%20to%20your%20needs)%3CBR%20%2F%3ESet-AuthenticationPolicy%20-Identity%20%E2%80%9CAllow_Basic_Auth%E2%80%9D%20-AllowBasicAuthActiveSync%3A%24true%20-AllowBasicAuthAutodiscover%3A%24true%20-AllowBasicAuthImap%3A%24true%20-AllowBasicAuthMapi%3A%24true%20-AllowBasicAuthOfflineAddressBook%3Atrue%20-AllowBasicAuthOutlookService%3A%24true%20-AllowBasicAuthPop%3A%24true%20-AllowBasicAuthReportingWebServices%20-AllowBasicAuthRest%20-AllowBasicAuthRpc%20-AllowBasicAuthSmtp%3A%24true%20-AllowBasicAuthWebServices%3Atrue%20-AllowBasicAuthPowerShell%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20simplifiy%20things%20for%20my%20environment%20I%20manually%20set%20the%20users%20that%20required%20basic%20auth%20(I%20only%20had%20two)%3C%2FP%3E%3CP%3Eset-user%20-Identity%20%22User%20One%22%20-AuthenticationPolicy%20%22Allow_Basic_Auth%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20touch%20the%20user%20to%20make%20the%20policy%20get%20applied%20quicker%3C%2FP%3E%3CP%3Eset-user%20-Identity%20%22User%20One%22%20-STSRefreshTokensValidFrom%20%24(%5BSystem.DateTime%5D%3A%3AUtcNow)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20rest%20of%20my%20users%3C%2FP%3E%3CP%3E%24Users%20%3D%20Get-User%20-ResultSize%20unlimited%20%7C%20Where%20%7B%24_.RecipientType%20-eq%20%22UserMailbox%22%20-and%20%24_.AuthenticationPolicy%20-eq%20%24null%7D%3C%2FP%3E%3CP%3E%24users%20%3D%24users.WindowsEmailAddress%3C%2FP%3E%3CP%3E%24users%20%7C%20%25%7BSet-User%20-Identity%20%24_%20-AuthenticationPolicy%20%E2%80%9CBlock_Basic_Auth_Selective%E2%80%9D%7D%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20touch%20the%20users%20to%20apply%20policy%20quicker%2C%20since%20the%20query%20is%20already%20in%20memory%3C%2FP%3E%3CP%3E%24users%20%7C%20%25%7BSet-User%20-Identity%20%24_%20-STSRefreshTokensValidFrom%20%24(%5BSystem.DateTime%5D%3A%3AUtcNow)%7D%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ENow%20the%20following%20command%20will%20apply%20the%20restricted%20policy%20as%20the%20global%20default.%20(Note%2C%20when%20I%20first%20implemented%20this%2C%20the%20unrestricted%20users%20did%20not%20have%20a%20policy%20applied%20and%20as%20such%20I%20thought%20they%20would%20have%20no%20policy%20applied%2C%20but%20once%20the%20default%20policy%20was%20applied%20to%20the%20global%20config%2C%20it%20affected%20the%20unrestricted%20unconfigured%20users.)%3C%2FP%3E%3CP%3ESet-OrganizationConfig%20-DefaultAuthenticationPolicy%20%E2%80%9CBlock_Basic_Auth_Selective%E2%80%9D%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERemember%2C%20mileage%20will%20vary.%20Read%20everything%20you%20can%20find%20on%20Authentication%20Policy%2Fies%3C%2FP%3E%3CP%3EFor%20us%2C%20for%20now%2C%20this%20has%20completely%20removed%20the%20issues%20we%20were%20having%20with%20illigitimate%20failed%20login%20attempts%20and%20account%20lockouts.%3CBR%20%2F%3EWe%20ran%20into%20only%20the%20one%20issue%20mentioned%20above%20with%20the%20accounts%20that%20had%20no%20policy%20assigned%20and%20then%20the%20global%20policy%20being%20applied%3C%2FP%3E%3CP%3ERemember%2C%20it%20takes%20approximately%2024%20hours%20for%20the%20policy%20to%20be%20applied%20to%20a%20user%20unless%20one%20of%20the%20user's%20properties%20are%20modified%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20one%20thing%20I%20will%20mention%2C%20at%20this%20time%2C%20when%20this%20is%20applied%2C%20there%20is%20nothing%20logged%20for%20failed%20attempts%20that%20fall%20afoul%20of%20the%20blocked%20basic%20auth%20policy%20even%20in%20Azure%20Ad%20Sign-ins%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E-Gene%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-283926%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283926%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ei%20just%20wanted%20to%20ask%20a%20quick%20question%20%2C%20maybe%20a%20stupid%20one%20mind%20you%20%2C%20but%20i%20noticed%20this%20is%20looking%20for%20event%20id's%20411%2C%20but%20when%20i%20view%20the%20events%20in%20event%20viewer%20the%20ip%20information%20is%20contained%20in%20event%20id%20516%20%26amp%3B%20512%20%2C%20the%20411%20is%20looks%20like%20below%20%2C%20will%20the%20script%20still%20work%20ok%20or%20do%20i%20need%20to%20amend%20it%20%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Ei%20agree%20with%20you%20guys%20this%20is%20becoming%20a%20total%20pain%20to%20manage%20as%20we%20have%20a%20cpl%20of%20accounts%20that%20get%20hit%20throughout%20the%20day%2C%20sometimes%20locking%20them%20up%20out%20of%20hours%20etc...and%20as%20mentioned%20before%20it%20seem%20to%20be%20run%20through%20alphabetically%20and%20even%20with%20some%20random%20names%20that%20aren't%20within%20the%20company%2C%20i'm%20hoping%20this%20helps%20with%20the%20problem%2C%20but%20i%20do%20think%20MS%20should%20be%20doing%20more%3CBR%20%2F%3EEvent%20ID%20411%3A%3CBR%20%2F%3EToken%20validation%20failed.%20See%20inner%20exception%20for%20more%20details.%3CBR%20%2F%3EAdditional%20Data%3CBR%20%2F%3EActivity%20ID%3A%2000000000-0000-0000-0000-000000000000%3CBR%20%2F%3EToken%20Type%3A%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2006%2F05%2Fidentitymodel%2Ftokens%2FUserName%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fws%2F2006%2F05%2Fidentitymodel%2Ftokens%2FUserName%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EError%20message%3A%3CBR%20%2F%3ERemoved%40goodreason.com-The%20user%20name%20or%20password%20is%20incorrect%3CBR%20%2F%3E%3CBR%20%2F%3EException%20details%3A%3CBR%20%2F%3ESystem.IdentityModel.Tokens.SecurityTokenValidationException%3A%20s.voigt%40ikmconsulting.co.uk%20---%26gt%3B%20System.ComponentModel.Win32Exception%3A%20The%20user%20name%20or%20password%20is%20incorrect%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle%20pLogonInfo%2C%20Int32%20logonInfoSize%2C%20SafeCloseHandle%26amp%3B%20tokenHandle%2C%20SafeLsaReturnBufferHandle%26amp%3B%20profileHandle)%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle%20pLogonInfo%2C%20Int32%20logonInfoSize%2C%20DateTime%26amp%3B%20nextPasswordChange%2C%20DateTime%26amp%3B%20lastPasswordChange%2C%20String%20authenticationType%2C%20String%20issuerName)%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken%20token%2C%20DateTime%26amp%3B%20nextPasswordChange%2C%20DateTime%26amp%3B%20lastPasswordChange%2C%20String%20issuerName)%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken%20token)%3CBR%20%2F%3E---%20End%20of%20inner%20exception%20stack%20trace%20---%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken%20token)%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken%20token)%3CBR%20%2F%3E%3CBR%20%2F%3ESystem.ComponentModel.Win32Exception%20(0x80004005)%3A%20The%20user%20name%20or%20password%20is%20incorrect%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle%20pLogonInfo%2C%20Int32%20logonInfoSize%2C%20SafeCloseHandle%26amp%3B%20tokenHandle%2C%20SafeLsaReturnBufferHandle%26amp%3B%20profileHandle)%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle%20pLogonInfo%2C%20Int32%20logonInfoSize%2C%20DateTime%26amp%3B%20nextPasswordChange%2C%20DateTime%26amp%3B%20lastPasswordChange%2C%20String%20authenticationType%2C%20String%20issuerName)%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken%20token%2C%20DateTime%26amp%3B%20nextPasswordChange%2C%20DateTime%26amp%3B%20lastPasswordChange%2C%20String%20issuerName)%3CBR%20%2F%3Eat%20Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken%20token)%3CBR%20%2F%3E%3CBR%20%2F%3EEvent%20ID%20516%3A%3CBR%20%2F%3EThe%20following%20user%20account%20has%20been%20locked%20out%20due%20to%20too%20many%20bad%20password%20attempts.%3CBR%20%2F%3EAdditional%20Data%3CBR%20%2F%3EActivity%20ID%3A%2000000000-0000-0000-0000-000000000000%3CBR%20%2F%3EUser%3A%3CBR%20%2F%3Eremoved%40forgoodreason.co.uk%3CBR%20%2F%3EClient%20IP%3A%3CBR%20%2F%3E212.38.173.4%2C52.97.135.253%3CBR%20%2F%3EnBad%20Password%20Count%3A%3CBR%20%2F%3E8%3CBR%20%2F%3EnLast%20Bad%20Password%20Attempt%3A%3CBR%20%2F%3E08%2F11%2F2018%3CBR%20%2F%3E%3CBR%20%2F%3EEvent%20ID%20512%3A%3CBR%20%2F%3EThe%20account%20for%20the%20following%20user%20is%20locked%20out.%20A%20login%20attempt%20is%20being%20allowed%20due%20to%20the%20system%20configuration.%3CBR%20%2F%3EAdditional%20Data%3CBR%20%2F%3EActivity%20ID%3A%2000000000-0000-0000-0000-000000000000%3CBR%20%2F%3EUser%3A%3CBR%20%2F%3Eremoved%40goodreason.co.uk%3CBR%20%2F%3EClient%20IP%3A%3CBR%20%2F%3E212.38.173.4%2C40.101.96.109%3CBR%20%2F%3EBad%20Password%20Count%3A%3CBR%20%2F%3E8%3CBR%20%2F%3EnLast%20Bad%20Password%20Attempt%3A%3CBR%20%2F%3E08%2F11%2F2018%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Egreat%20write%20up%20by%20the%20way%20eric%20...%3CBR%20%2F%3E%3CBR%20%2F%3Epaddi%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278980%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278980%22%20slang%3D%22en-US%22%3EI%20am%20working%20on%20this%20very%20same%20thing%20and%20it%20has%20been%20nasty!%20I%20got%20to%20the%20exact%20same%20place%20as%20Eric%20albeit%20just%20a%20TINY%20bit%20differently%2C%20but%20exact%20same%20idea.%20Since%20most%20of%20these%20attacks%20are%20from%20countries%20we%20have%20no%20business%20with%20or%20executives%20traveling%20to%20we%20block%20out%20the%20IP's%20whole%20registered%20subnet.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20working%20on%20adding%20the%20ability%20to%20get%20that%20data%20from%20%3CA%20href%3D%22http%3A%2F%2Fwho.is%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwho.is%3C%2FA%3E%20or%20elsewhere%20(I%20am%20curious%20about%20that%20Linux%20command%20Eric%20uses%20for%20GeoIP%20data).%20Adding%20this%20to%20the%20script%20will%20most%20definitely%20save%20me%20having%20to%20go%20look%20it%20up.%20I%20have%204%20%2F8's%20and%202%20%2F16%20subnets%20in%20my%20lists%20now.%20so%20for%20now%20we%20are%20OK%20with%20the%20limit%20you%20ran%20into.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20going%20to%20have%20to%20pony%20up%20for%20some%20form%20of%20token%20access%20or%20service%20like%20DUO%20which%20we%20already%20use%20for%20Remote%20Desktop%20Gateway%20MFA.%20I%20just%20need%20a%20way%20to%20authenticate%20people%20that%20SHOULD%20be%20authenticated%20not%20just%20usernames%20that%20CAN%20be.%20I'm%20looking%20for%20a%20way%20to%20allow%20our%20Execs%20to%20just%20not%20be%20bothered%20with%20this%20at%20ALL%20since%20it's%20only%20a%20matter%20of%20time%20until%20someone%20goes%20to%20China%20and%20then%20we%20are%20back%20to%20the%20drawing%20board!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278463%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278463%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20set%20our%20threshold%20much%20lower%20than%20yours.%26nbsp%3B%20We%20looked%20through%20our%20logs%20and%20even%20at%204%20hits%20on%20an%20individual%20IP%20address%20they%20were%20still%20coming%20from%20other%20countries.%26nbsp%3B%20So%20we%20set%20our%20threshold%20at%204%20knowing%20that%20we%20increased%20the%20risk%20of%20a%20false%20positive%20and%20we%20would%20have%20to%20come%20back%20through%20and%20remove%20it%20and%20whitelist%20it%20after%20the%20fact.%26nbsp%3B%20With%20that%20being%20said%2C%20in%20a%20matter%20of%2018%20hours%20we%20reached%201267%20entries%20in%20our%20AnyOfClientIPAddressesOrRanges%20property.%26nbsp%3B%20So%20the%20script%20worked%20well!%26nbsp%3B%20Too%20well...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20send%20you%20a%20message%20on%20here%20if%20the%20attach%20file%20thing%20doesn't%20work%20with%20the%20full%20text%20of%20the%20modified%20script%20and%20you%20can%20see%20the%20section%20that%20I%20modified%20to%20convert%20to%20IPv4.%26nbsp%3B%20I%20commented%20in%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278235%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278235%22%20slang%3D%22en-US%22%3E%3CP%3EAndy%2C%20I%20100%25%20agree%20that%20it%20should%20be%20something%20we%20already%20have%20as%20a%20simple%20GUI%20option%20for%20all%20O365%20tenants%2C%20but%20unfortunately%20it%20doesn't%20appear%20to%20be%20something%20that%20they%20are%20interested%20in%20doing%20as%20people%20have%20been%20asking%20for%20it%20since%20they%20first%20put%20out%20O365%20and%20they%20haven't%20yet%20implemented%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20actually%20planning%20on%20seeing%20if%20I%20can%20make%20a%20Powershell%20script%20to%20create%20and%20maintain%20region%20blocking%20via%20a%20Client%20Access%20Rule%20as%20even%20with%20all%20the%20above%20protections%20in%20place%20we're%20still%20getting%20hammered%20with%20brute%20force%20attempts%2C%20and%20I%20can't%20find%20anything%20out%20there%20that%20does%20it%20currently.%26nbsp%3B%20Hopefully%20I%20can%20find%20some%20spare%20time%20in%20the%20next%20month%20or%20so%20to%20make%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278232%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278232%22%20slang%3D%22en-US%22%3E%3CP%3EI%20haven't%20run%20into%20that%20issue%20actually.%26nbsp%3B%20In%20fact%20when%20I%20was%20setting%20this%20all%20up%20and%20working%20with%20MS%20support%20I%20asked%20them%20if%20there%20was%20any%20limits%20to%20what%20can%20be%20put%20in%20the%20AnyOfClientIPAddressesOrRanges%20property%20of%20the%20Client%20Access%20Rule%20as%20I%20was%20worried%20about%20this%20happening%2C%20and%20they%20said%20that%20there%20were%20not.%26nbsp%3B%20I've%20been%20running%20my%20script%20hourly%20since%20April%20and%20I%20so%20far%20have%20only%2063%20entries%20and%20it's%20still%20going%20strong.%26nbsp%3B%20How%20many%20entries%20do%20you%20have%20in%20the%20rule%20now%2C%20and%20how%20are%20you%20putting%20in%20your%20%2F24%20ranges%3F%26nbsp%3B%20If%20you%20can%20send%20me%20your%20adjusted%20script%20and%20the%20values%20of%20your%26nbsp%3BAnyOfClientIPAddressesOrRanges%20property%20on%20your%20rule%20I%20can%20take%20a%20look%20and%20see%20if%20I%20can%20figure%20out%20what's%20going%20on%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278173%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278173%22%20slang%3D%22en-US%22%3E%3CP%3EClient%20Access%20Rules%2C%20Conditional%20Access%2C%20Block%20Basic%20Auth%20in%20Exo%20with%20this%20new%20powershell%20command.%20It's%20all%20getting%20too%20much%20frankly.%20We%20just%20need%20a%20solution%20in%20one%20place%20that%20can%20be%20easily%20managed%20and%20audited%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278163%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278163%22%20slang%3D%22en-US%22%3E%3CP%3EI%20downloaded%20your%20script%20and%20modified%20it%20to%20block%20the%20entire%20%2F24%20for%20each%20IP%20address%20(bigger%20hammer).%26nbsp%3B%20It%20works%20great.%26nbsp%3B%20So%20great%20that...in%20less%20than%2024%20hours%20I%20reached%20a%20limit%20on%20the%20AnyOfClientIPAddressesOrRanges%20Property.%26nbsp%3B%20I%20receive%20the%20error%20now%3A%20The%20length%20of%20the%20property%20is%20too%20long.%20The%20maximum%20length%20is%2040960%20and%20the%20length%20of%20the%20value%20provided%20is%2044620.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20you%20ran%20across%20that%20yet%3F%20Account%20lockouts%20are%20getting%20really%20old.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20wonderful%20if%20MS%20would%20just%20put%20in%20true%20geo-blocking%2C%20not%20Conditional%20Access%2C%20which%20only%20works%20after%20successful%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267192%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267192%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20that%20this%20is%20a%20super%20old%20thread%2C%20but%20it's%20still%20on%20the%20front%20page%20of%20google%20when%20you're%20trying%20to%20figure%20out%20how%20to%20fix%20this%20issue%2C%20so%20I%20thought%20that%20I'd%20share%20what%20I've%20found%20after%20a%20ton%20of%20research%20and%20troubleshooting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20off%20is%20Conditional%20Access%20policies%2C%20they%20require%20you%20to%20have%20an%20Azure%20AD%20Premium%20license%2C%20and%20they%20will%20not%20help%20with%20this.%26nbsp%3B%20They%20only%20apply%20to%20modern%20authentication%20attempts%2C%20and%20this%20attack%20tends%20to%20leverage%20the%20old%20basic%20authentication%20method%20so%20that%20all%20the%20authentication%20attempts%20get%20tunnelled%20through%20the%20O365%20servers%20before%20hitting%20your%20ADFS%20to%20prevent%20blocking%20them%20at%20the%20firewall.%26nbsp%3B%20Additionally%20Conditional%20Access%20policies%20apply%20after%20the%20authentication%20attempt%20and%20lets%20you%20know%20if%20the%20password%20was%20correct%20or%20not%2C%20so%20the%20attacker%20finds%20out%20if%20they%20are%20successful%20and%20your%20accounts%20still%20get%20locked.%26nbsp%3B%20If%20you%20can%20turn%20off%20basic%20authentication%20in%20your%20environment%2C%20then%20this%20will%20help%20prevent%20access%20to%20the%20apps%2C%20but%20it%20doesn't%20solve%20the%20root%20account%20lockout%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%20is%20extranet%20lockout%2C%20it%20can%20be%20useful%2C%20but%20as%20has%20been%20mentioned%20previously%20it's%20being%20bypassed%20for%20the%20most%20part%20by%20attackers%20by%20them%20using%20rate%20limiting.%26nbsp%3B%20There's%20already%20some%20links%20to%20some%20good%20articles%20on%20here%20about%20it%20so%20that's%20all%20I'll%20say.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20there%20is%20Custom%20Claims%20Rules%20on%20your%20ADFS%20servers.%26nbsp%3B%20This%20looks%20promising%2C%20but%20outside%20of%20some%20guides%20for%20some%20very%20specific%20scenarios%20like%20locking%20down%20all%20authentication%20attempts%20external%20to%20your%20network%2C%20it%20was%20very%20hard%20to%20find%20documentation%20on%20how%20to%20do%20this%20or%20the%20claims%20language%20in%20general.%26nbsp%3B%20I%20ended%20up%20leaving%20this%20option%20alone%20when%20I%20found%20Client%20Access%20Rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClient%20Access%20Rules%2C%20these%20are%20the%20best%20option%20that%20I've%20found%20so%20far.%26nbsp%3B%20These%20are%20essentially%20O365%20side%20firewall%20rules%20that%20apply%20on%20initial%20connection%20to%20O365%20before%20the%20authentication%20is%20sent%20over%20to%20your%20ADFS%20server%2C%20and%20are%20based%20off%20of%20the%20external%20connecting%20IP%20of%20the%20attacker%20if%20you%20have%20an%20IP%20filter%20in%20place.%26nbsp%3B%20They%20are%20only%20configurable%20via%20PowerShell%20at%20this%20time%2C%20and%20they%20are%20a%20fairly%20new%20feature%2C%20so%20they%20do%20have%20their%20limitations.%26nbsp%3B%20For%20example%20some%20of%20the%20conditions%20don't%20work%20on%20all%20of%20the%20products%20yet%2C%20and%20certain%20condition%20and%20exception%20combinations%20you%20would%20expect%20to%20be%20able%20to%20use%20aren't%20available.%26nbsp%3B%20The%20big%20issue%20I've%20run%20into%20with%20these%20is%20that%20there%20is%20no%20way%20to%20specify%20regions%2C%20only%20IPs%20and%20IP%20ranges%2C%20so%20I%20created%20a%20PowerShell%20script%20to%20automate%20grabbing%20the%20attacker's%20IPs%20from%20the%20ADFS%20logs%20and%20update%20the%20Blacklist%20Client%20Access%20Rule%20I%20have.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20script%20will%20parse%20your%20local%20ADFS%20logs%2C%20pick%20out%20the%20originating%20IPs%20for%20all%20the%20attacks%2C%20enumerate%20how%20many%20bad%20attempts%20you%20are%20getting%20per%20IP%2C%20then%20add%20any%20IPs%20that%20exceed%20a%20specified%20number%20of%20bad%20password%20attempts%20to%20a%20specified%20Client%20Access%20Rule%20to%20be%20blocked%20if%20it's%20not%20in%20the%20exclusion%20list%20in%20the%20script%20or%20the%20Client%20Access%20Rule.%26nbsp%3B%20It%20also%20backs%20up%20the%20existing%20rule%20to%20XML%20before%20and%20after%20making%20changes%2C%20outputs%20a%20parsed%20version%20of%20the%20ADFS%20logs%20to%20CSV%2C%20records%20everything%20it's%20doing%20to%20a%20log%20file%2C%20and%20emails%20the%20log%20file%20to%20a%20specified%20email%20address%20if%20any%20errors%20occur%20in%20the%20script%2C%20or%20an%20IP%20gets%20added%20to%20the%20blacklist%20rule.%26nbsp%3B%20Personally%20I%20have%20it%20setup%20to%20run%20every%20hour%20via%20a%20scheduled%20task%20on%20my%20ADFS%20server%2C%20and%20the%20number%20of%20attacks%20have%20dropped%20significantly%20since%20I%20implemented%20it.%26nbsp%3B%20I%20keep%20meaning%20to%20make%20a%20blog%20to%20post%20this%20thing%2C%20but%20since%26nbsp%3BI%20haven't%20gotten%20around%20to%20in%20in%20months%26nbsp%3BI%20figure%20this%20would%20be%20a%20good%20place%20to%20share%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20find%20the%20script%20on%20GitHub%20here%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FKhelbun%2FPowerShellHybridExchange%2Fblob%2Fmaster%2FBlacklistBruteForce.ps1%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FKhelbun%2FPowerShellHybridExchange%2Fblob%2Fmaster%2FBlacklistBruteForce.ps1%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tried%20to%20explain%20how%20it%20all%20works%20in%20the%20code%20comments%26nbsp%3Bat%20the%20beginning%20and%20to%20put%20everything%20you%20would%20need%20to%20set%20in%20variables%20at%20the%20top%20of%20the%20script.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20the%20link%20to%20Microsoft's%20documentation%20on%20the%20Client%20Access%20Rules%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fclient-access-rules%2Fclient-access-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fclient-access-rules%2Fclient-access-rules%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174314%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174314%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20a%20follow%20up%20note%20for%20anyone%20wanting%20to%20know%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20did%20implement%20a%20method%20of%20compliance%20policy%20that%20allowed%20for%20region%20blocking%2C%20only%20problem%2C%20it%20is%20applied%20after%20the%20attempted%20login%26nbsp%3Bso%20accounts%20are%20still%20locked%20out.%3C%2FP%3E%0A%3CP%3EFurther%20notes%20of%20other%20things%20I%20have%20looked%20at.%3C%2FP%3E%0A%3CP%3ECan't%20use%20blocking%20at%20the%20ADFS%20WAP%26nbsp%3Bserver%20or%26nbsp%3Bfirewall%26nbsp%3Bfronting%2C%26nbsp%3Bas%20it%20is%20using%20Exchange%20Online%20as%20proxy%20(with%20legacy%20and%20activesync%20connections%2C%20Exchange%20makes%20the%20connection%20to%20the%20ADFS%20server%20for%20the%20client%20application%20so%20all%20you%20see%20is%20the%20Exchange%20Online%20server%20IPs)%3C%2FP%3E%0A%3CP%3EDisabling%20all%20of%20the%20other%20protocols%2C%20imap%2Fpop3%2Factivesync%20doesn't%20work%20for%20the%20same%20reason%2C%20authentication%20attempt%20occurs%20before%20stating%20service%20unavailable%2Fblocked.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-G%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-98462%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-98462%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Extranet%20Lockout%20feature%20is%20nice%20for%20sure%2C%20but%20defintely%20not%20the%20definitive%20solution%20it%20could%20be.%3C%2FP%3E%3CP%3EI%20wish%20ADFS%20had%20a%20captcha%20feature%20that%20only%20kicked%20after%20a%20set%20number%20of%20failed%20attempts.%20Maybe%20one%20less%20than%20what%20is%20set%20for%20the%20Extranet%20Lockout.%20That%20way%2C%20endusers%20do%20not%20have%20to%20enter%26nbsp%3B%20the%20captcha%20unless%20they%20are%20fat-fingered%20the%20password%20N%20amount%20of%20times%2C%20and%20the%20bad%20guys%20would%20that%20hoop%20to%20get%20through%20if%20they%20were%20hammering%20the%20relying%20party.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-98459%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-98459%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20organization%20is%20dealing%20with%20the%20same%20threat%20as%20you.%20We've%20been%20getting%20hit%20hard%20dating%20back%20a%20month%20ago%20now%20when%20it%20really%20became%20noticable.%3C%2FP%3E%3CP%3EWe're%20testing%20with%20the%20Extranet%20Lockout%20but%20that%20in%20itself%20still%20isn't%20a%20great%20comeback.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92690%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92690%22%20slang%3D%22en-US%22%3E%3CP%3E(Fingers%20crossed)%3C%2FP%3E%3CP%3EWon't%20hold%20my%20breath.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92689%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92689%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20judging%20by%20the%20new%20cmdlet%20available%20in%20the%20ADAL-enabled%20ExO%20PowerShell%20module%2C%20we%20should%20have%20support%20for%20SCC%20PowerShell%20too%20soon%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92684%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92684%22%20slang%3D%22en-US%22%3E%3CP%3EOh%20yeah.%20That's%20how%20I%20have%20been%20able%20to%20determine%20it%20has%20been%20going.%3C%2FP%3E%3CP%3ETwice%20a%20day%20I%20go%20through%20and%20hunt%20for%20the%20411%20event%20ID's%2C%20export%20them%20as%20xml%20perform%20a%20couple%20of%20quick%20filters%20in%20excel%2C%20save%20as%20csv%20then%20use%20a%20couple%20of%20find%20replaces%20in%20notepad%2B%2B%20to%20get%20it%20into%20a%20usable%20state.%3C%2FP%3E%3CP%3EThen%20parse%20the%20IP%20addresses%20presented%20using%20geoiplocation%20command%20in%20linux%20shell%20to%20determine%20location.%3C%2FP%3E%3CP%3EUnfortunately%2C%20it%20doesn't%20really%20give%20me%20a%20way%20of%20trying%20to%20deal%20with%20it.%3C%2FP%3E%3CP%3EIt%20looks%20like%20we%20may%20be%20going%20down%20the%20MFA%20route%20here%20in%20the%20near%20future%20to%20minimize%20possible%20account%20compromise.%26nbsp%3BAlthough%20their%20are%20still%20a%20couple%20of%26nbsp%3Bissues%20we%20are%20running%20into%2C%20like%20powershell%20access%20to%20security%20%26amp%3B%20compliance%20center%2C%20but%20this%20really%20only%20affects%20admins%2C%20then%20there%20appear%20to%20be%26nbsp%3Ba%20few%20issues%20with%20mobile%20powerapps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92674%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92674%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20you%20are%20unable%20to%20surface%20the%20real%20IP%20addresses%20of%20the%20offending%20client%20via%20ADFS%3F%20Thats%20what%20we%20do.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fpie%2F2016%2F02%2F02%2Fad-fun-services-track-down-the-source-of-adfs-lockouts%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fpie%2F2016%2F02%2F02%2Fad-fun-services-track-down-the-source-of-adfs-lockouts%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92629%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92629%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20apologies%2C%20thought%20I%20had%20mentioned%20that%20they%20are%20doing%20it%20sporadically%20enough%20it%20isn't%20triggering%26nbsp%3Bextranet%20lockout%20and%20it%20is%20enabled%20and%20configured.%20For%20the%20most%20part%2C%20they%20are%20spreading%20the%20logon%20attempts%20to%20one%26nbsp%3Bevery%205%20or%206%20hours%20(only%204%26nbsp%3Bsometimes%205%20attempts%20a%20day).%20So%20even%20with%26nbsp%3Bmy%20extranet%20lockout%20set%20at%205%20they%20are%20flying%20under%20the%20radar.%20(badPWDcount%20resets%20to%200%20on%20successful%20login%20from%20the%20user%20throughout%20the%20day)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-91639%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-91639%22%20slang%3D%22en-US%22%3E%3CP%3Eand%20to%20add%20to%20what%20Vasil%20mentioned%2C%20ensure%20you%20have%20the%20lockout%20feature%20configured%20correctly%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Fluzhao1%2F2015%2F06%2F24%2Fdemystify-extranet-lockout-feature-in-ad-fs-3-0%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.msdn.microsoft.com%2Fluzhao1%2F2015%2F06%2F24%2Fdemystify-extranet-lockout-feature-in-ad-fs-3-0%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20also%20worth%20repeating%20that%20MFA%20only%20protects%20you%20against%20a%20compromised%20password%2C%20not%20from%20anyone%20attempting%20to%20make%20attempts%20and%20eventually%20locking%20the%20account.%20If%20the%20extranet%20lockout%20feature%20is%20enabled%2C%20external%20accounts%20can%20still%20be%20%22soft-locked%22%20out%20of%20their%20accounts%20until%20the%20extranet%20observation%20window%20passes.%20So%20what%20you%20are%20really%20protecting%20is%20the%20internal%20AD%20lockout.%3C%2FP%3E%3CP%3EI%20would%20also%20consider%20using%20a%203rd%20party%20product%20such%20as%20SpecOps%20%3CA%20href%3D%22https%3A%2F%2Fspecopssoft.com%2Fproduct%2Fspecops-password-policy%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fspecopssoft.com%2Fproduct%2Fspecops-password-policy%2F%3C%2FA%3E%26nbsp%3Bwhich%20can%20help%20enforce%20complicated%20passwords%20to%20a%20greater%20extent%20that%20what%20is%20built-in%20to%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-91361%22%20slang%3D%22en-US%22%3ERe%3A%20Dealing%20with%20high%20number%20of%20failed%20log%20on%20attempts%20from%20foreign%20countries%20utilizing%20Exchange%20Onl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-91361%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20of%20all%2C%20look%20at%20the%20AD%20FS%20extranet%20lockout%20feature%3A%20%3CA%20href%3D%22http%3A%2F%2Fblogs.technet.com%2Fb%2Frmilne%2Farchive%2F2014%2F05%2F05%2Fenabling-adfs-2012-r2-extranet-lockout-protection.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fblogs.technet.com%2Fb%2Frmilne%2Farchive%2F2014%2F05%2F05%2Fenabling-adfs-2012-r2-extranet-lockout-protection.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20protocol%20info%2C%20you%20can%20get%20some%20hints%20from%20the%20claims%20included%20in%20the%20AD%20FS%20events.%20Even%20audit%20failures%20contain%20some%20of%20the%20data%2C%20so%20look%20not%20only%20for%20411%20but%20the%20accompanying%20403%2F410%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMFA%20is%20certainly%20an%20option%2C%20you%20dont%20need%20to%20use%20a%20company-sanctioned%20mobile%20device%20to%20use%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Eugene Pinson
Occasional Contributor

We have noted a drastic increase in the number of failed log on attempts coming from countries outside the US within ADFS, obviously attempting to log in through Exchange Online.

(When reviewing event id 411 specifically within the security logs of the ADFS servers you will note two IP addresses "OriginIPAddress,MicrosoftExchangeOnlineIP"

We are running a hybrid environment with ADFS 3.0 on 2012 r2 and O365, AD domain is on 2008 r2.

We have a user base of approximately 700 users

This presents a couple of obvious issues.

Enabled advanced event logging for ADFS and processes, so I can see the IP addresses of logins through ADFS

Every day, I am processing through all of the 411 events within the security event logs and comsolidating it into a spreadsheet for easier consumption. (not a pretty process as I haven't completely fine tuned it yet)

 

Here's some of the things I am seeing for all of the foreign IP addresses

They are making attempts at approximately 400 account names.

The majority of attempts are performed in alphabetical order with occasional deviations

They are rate limiting what they are trying for the most part to only 4 or 5 attempts per account per day with occasional deviations which wind up triggering the extranet lockout for a given user.

Microsoft's online logging and monitoring of failures such as these is pretty much worthless or outright non-existent.

 

Limitations of my environment

We can't enable MFA across the board as the company wont supply mobile devices across the board and they find the cost for tokens too prohibitive.

Have contemplated blocking regional IP addresses but this presents it's own problems.

One, I can't block it at the firewall fronting the ADFS WAP as they are utilizing basic auth through Exchange Online so all we would see at the firewall is the Exchange Online IP addresses.

Two, can't enable conditional access due to it is design to be inclusive not exclusive, where the IPs specified are for known networks good networks. We have too many remote locations that are on some form of dynamic connection.

Three, I can't really block non-US ips as we routinely have execs traveling.

 

 

Sorry for the long winded description. Here is where the questions come in.

I am hunting for ideas

First, any ideas on how to mitigate this other than what was already provided?

Second, any one found a way to determine which protocols these authentication attempts are being made against Exchange Online? It logs client type for sucesses which allows you to do some tracking of client type but it does not provide any form of reporting or logging that I have found for failed attempts and there doesn't appear to be anything I can extract from AD FS logs.

Three, anyone found a way to fully monitor the Azure AD sign-ins? MS has their reporting and the online logging but I would like to have something monitor the Azure AD sign-ins for sucessful failures from foreign IP addresses and notify on these events. We don't have that many people that travel outside the country so it's easy to correlate to a given known user traveling.

Four, anyone else seeing something along these lines?

 

Thanks for your time,

 

-G

20 Replies

First of all, look at the AD FS extranet lockout feature: http://blogs.technet.com/b/rmilne/archive/2014/05/05/enabling-adfs-2012-r2-extranet-lockout-protecti...

 

For the protocol info, you can get some hints from the claims included in the AD FS events. Even audit failures contain some of the data, so look not only for 411 but the accompanying 403/410 events.

 

MFA is certainly an option, you dont need to use a company-sanctioned mobile device to use it.

and to add to what Vasil mentioned, ensure you have the lockout feature configured correctly:

https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/

 

Its also worth repeating that MFA only protects you against a compromised password, not from anyone attempting to make attempts and eventually locking the account. If the extranet lockout feature is enabled, external accounts can still be "soft-locked" out of their accounts until the extranet observation window passes. So what you are really protecting is the internal AD lockout.

I would also consider using a 3rd party product such as SpecOps https://specopssoft.com/product/specops-password-policy/ which can help enforce complicated passwords to a greater extent that what is built-in to AD.

 

 

My apologies, thought I had mentioned that they are doing it sporadically enough it isn't triggering extranet lockout and it is enabled and configured. For the most part, they are spreading the logon attempts to one every 5 or 6 hours (only 4 sometimes 5 attempts a day). So even with my extranet lockout set at 5 they are flying under the radar. (badPWDcount resets to 0 on successful login from the user throughout the day)

 

-G

 

 

 

Oh yeah. That's how I have been able to determine it has been going.

Twice a day I go through and hunt for the 411 event ID's, export them as xml perform a couple of quick filters in excel, save as csv then use a couple of find replaces in notepad++ to get it into a usable state.

Then parse the IP addresses presented using geoiplocation command in linux shell to determine location.

Unfortunately, it doesn't really give me a way of trying to deal with it.

It looks like we may be going down the MFA route here in the near future to minimize possible account compromise. Although their are still a couple of issues we are running into, like powershell access to security & compliance center, but this really only affects admins, then there appear to be a few issues with mobile powerapps.

 

-G

Well, judging by the new cmdlet available in the ADAL-enabled ExO PowerShell module, we should have support for SCC PowerShell too soon :)

My organization is dealing with the same threat as you. We've been getting hit hard dating back a month ago now when it really became noticable.

We're testing with the Extranet Lockout but that in itself still isn't a great comeback.

The Extranet Lockout feature is nice for sure, but defintely not the definitive solution it could be.

I wish ADFS had a captcha feature that only kicked after a set number of failed attempts. Maybe one less than what is set for the Extranet Lockout. That way, endusers do not have to enter  the captcha unless they are fat-fingered the password N amount of times, and the bad guys would that hoop to get through if they were hammering the relying party.

Just a follow up note for anyone wanting to know;

 

Microsoft did implement a method of compliance policy that allowed for region blocking, only problem, it is applied after the attempted login so accounts are still locked out.

Further notes of other things I have looked at.

Can't use blocking at the ADFS WAP server or firewall fronting, as it is using Exchange Online as proxy (with legacy and activesync connections, Exchange makes the connection to the ADFS server for the client application so all you see is the Exchange Online server IPs)

Disabling all of the other protocols, imap/pop3/activesync doesn't work for the same reason, authentication attempt occurs before stating service unavailable/blocked.

 

-G

I know that this is a super old thread, but it's still on the front page of google when you're trying to figure out how to fix this issue, so I thought that I'd share what I've found after a ton of research and troubleshooting.

 

First off is Conditional Access policies, they require you to have an Azure AD Premium license, and they will not help with this.  They only apply to modern authentication attempts, and this attack tends to leverage the old basic authentication method so that all the authentication attempts get tunnelled through the O365 servers before hitting your ADFS to prevent blocking them at the firewall.  Additionally Conditional Access policies apply after the authentication attempt and lets you know if the password was correct or not, so the attacker finds out if they are successful and your accounts still get locked.  If you can turn off basic authentication in your environment, then this will help prevent access to the apps, but it doesn't solve the root account lockout issue.

 

Next is extranet lockout, it can be useful, but as has been mentioned previously it's being bypassed for the most part by attackers by them using rate limiting.  There's already some links to some good articles on here about it so that's all I'll say.

 

Then there is Custom Claims Rules on your ADFS servers.  This looks promising, but outside of some guides for some very specific scenarios like locking down all authentication attempts external to your network, it was very hard to find documentation on how to do this or the claims language in general.  I ended up leaving this option alone when I found Client Access Rules.

 

Client Access Rules, these are the best option that I've found so far.  These are essentially O365 side firewall rules that apply on initial connection to O365 before the authentication is sent over to your ADFS server, and are based off of the external connecting IP of the attacker if you have an IP filter in place.  They are only configurable via PowerShell at this time, and they are a fairly new feature, so they do have their limitations.  For example some of the conditions don't work on all of the products yet, and certain condition and exception combinations you would expect to be able to use aren't available.  The big issue I've run into with these is that there is no way to specify regions, only IPs and IP ranges, so I created a PowerShell script to automate grabbing the attacker's IPs from the ADFS logs and update the Blacklist Client Access Rule I have.

 

 

The script will parse your local ADFS logs, pick out the originating IPs for all the attacks, enumerate how many bad attempts you are getting per IP, then add any IPs that exceed a specified number of bad password attempts to a specified Client Access Rule to be blocked if it's not in the exclusion list in the script or the Client Access Rule.  It also backs up the existing rule to XML before and after making changes, outputs a parsed version of the ADFS logs to CSV, records everything it's doing to a log file, and emails the log file to a specified email address if any errors occur in the script, or an IP gets added to the blacklist rule.  Personally I have it setup to run every hour via a scheduled task on my ADFS server, and the number of attacks have dropped significantly since I implemented it.  I keep meaning to make a blog to post this thing, but since I haven't gotten around to in in months I figure this would be a good place to share it. 

 

You can find the script on GitHub here:

 

https://github.com/Khelbun/PowerShellHybridExchange/blob/master/BlacklistBruteForce.ps1 

 

I've tried to explain how it all works in the code comments at the beginning and to put everything you would need to set in variables at the top of the script.

 

Here's the link to Microsoft's documentation on the Client Access Rules:

 

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/...

 

I downloaded your script and modified it to block the entire /24 for each IP address (bigger hammer).  It works great.  So great that...in less than 24 hours I reached a limit on the AnyOfClientIPAddressesOrRanges Property.  I receive the error now: The length of the property is too long. The maximum length is 40960 and the length of the value provided is 44620.

 

Have you ran across that yet? Account lockouts are getting really old. 

 

It would be wonderful if MS would just put in true geo-blocking, not Conditional Access, which only works after successful authentication.

Client Access Rules, Conditional Access, Block Basic Auth in Exo with this new powershell command. It's all getting too much frankly. We just need a solution in one place that can be easily managed and audited

I haven't run into that issue actually.  In fact when I was setting this all up and working with MS support I asked them if there was any limits to what can be put in the AnyOfClientIPAddressesOrRanges property of the Client Access Rule as I was worried about this happening, and they said that there were not.  I've been running my script hourly since April and I so far have only 63 entries and it's still going strong.  How many entries do you have in the rule now, and how are you putting in your /24 ranges?  If you can send me your adjusted script and the values of your AnyOfClientIPAddressesOrRanges property on your rule I can take a look and see if I can figure out what's going on there.

Andy, I 100% agree that it should be something we already have as a simple GUI option for all O365 tenants, but unfortunately it doesn't appear to be something that they are interested in doing as people have been asking for it since they first put out O365 and they haven't yet implemented it.

 

I'm actually planning on seeing if I can make a Powershell script to create and maintain region blocking via a Client Access Rule as even with all the above protections in place we're still getting hammered with brute force attempts, and I can't find anything out there that does it currently.  Hopefully I can find some spare time in the next month or so to make that.

We set our threshold much lower than yours.  We looked through our logs and even at 4 hits on an individual IP address they were still coming from other countries.  So we set our threshold at 4 knowing that we increased the risk of a false positive and we would have to come back through and remove it and whitelist it after the fact.  With that being said, in a matter of 18 hours we reached 1267 entries in our AnyOfClientIPAddressesOrRanges property.  So the script worked well!  Too well...

 

I'll send you a message on here if the attach file thing doesn't work with the full text of the modified script and you can see the section that I modified to convert to IPv4.  I commented in it.

I am working on this very same thing and it has been nasty! I got to the exact same place as Eric albeit just a TINY bit differently, but exact same idea. Since most of these attacks are from countries we have no business with or executives traveling to we block out the IP's whole registered subnet.

I am working on adding the ability to get that data from http://who.is or elsewhere (I am curious about that Linux command Eric uses for GeoIP data). Adding this to the script will most definitely save me having to go look it up. I have 4 /8's and 2 /16 subnets in my lists now. so for now we are OK with the limit you ran into.

We are going to have to pony up for some form of token access or service like DUO which we already use for Remote Desktop Gateway MFA. I just need a way to authenticate people that SHOULD be authenticated not just usernames that CAN be. I'm looking for a way to allow our Execs to just not be bothered with this at ALL since it's only a matter of time until someone goes to China and then we are back to the drawing board!

Hi,

i just wanted to ask a quick question , maybe a stupid one mind you , but i noticed this is looking for event id's 411, but when i view the events in event viewer the ip information is contained in event id 516 & 512 , the 411 is looks like below , will the script still work ok or do i need to amend it ?


i agree with you guys this is becoming a total pain to manage as we have a cpl of accounts that get hit throughout the day, sometimes locking them up out of hours etc...and as mentioned before it seem to be run through alphabetically and even with some random names that aren't within the company, i'm hoping this helps with the problem, but i do think MS should be doing more
Event ID 411:
Token validation failed. See inner exception for more details.
Additional Data
Activity ID: 00000000-0000-0000-0000-000000000000
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName

Error message:
Removed@goodreason.com-The user name or password is incorrect

Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: s.voigt@ikmconsulting.co.uk ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

Event ID 516:
The following user account has been locked out due to too many bad password attempts.
Additional Data
Activity ID: 00000000-0000-0000-0000-000000000000
User:
removed@forgoodreason.co.uk
Client IP:
212.38.173.4,52.97.135.253
nBad Password Count:
8
nLast Bad Password Attempt:
08/11/2018

Event ID 512:
The account for the following user is locked out. A login attempt is being allowed due to the system configuration.
Additional Data
Activity ID: 00000000-0000-0000-0000-000000000000
User:
removed@goodreason.co.uk
Client IP:
212.38.173.4,40.101.96.109
Bad Password Count:
8
nLast Bad Password Attempt:
08/11/2018

 

great write up by the way eric ...

paddi

Solution

Not sure if any one has seen this. There is a new tool for your basket. This has helped us greatly.

A couple of months ago Microsoft released to preview and then has pushed forward 'Authentication Policies'.

These authentication policies are processed prior to being passed to AAD or ADFS saving the failed login against the account

And yes this can be applied to individual or small groups to test first (just remember to wait to assure the policy is applied to the user in question before calling it good or not)

 

See "https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen..."

 

Basic outline

Assure you have modern authentication enabled for your organization

Create an authentication policy blocking basic auth for pop, imap and such (The biggest one we were seeing was imap)

 

If you have any user or service accounts that requires basic auth for any of the protocols you are disabling in the previous policy, create a second policy allowing the protocols

 

If you have any users that utilizing pop, imap or any other method you determine don't need basic authentication, get them migrated to some other form of client app or access

 

If there are any accounts that absolutely require basic auth (ie we have a ticketing system that utilizes imap with basic auth to connect to a specific mailbox), make note of them to exclude in your query for users to apply your restricted policy to

 

Query for and apply unrestricted policy to service account or user that requires the basic auth for the protocols disabled by the restricted policy

 

Query for and apply restricted policy to the majority of your users

Apply restricted policy as global default (for new users)

 

Either wait 24 hours for it to be applied or touch a user property on the user and wait approximately 30 minutes.

 

Note, the below worked for me. Make sure you research and adjust for your own needs. I take no responsibility for what you do to your environment. These are only examples

 

Exchange Powershell commands used

connect-exopssession -UserPrincipalName {exchangeonline admin}

 

New-AuthenticationPolicy -Name "Block_Basic_Auth_Selective”

 

{Blocks basic auth for imap, pop, smtp but allows for things like activesync}
(Adjust according to your needs)
Set-AuthenticationPolicy -Identity “Block_Basic_Auth_Selective” -AllowBasicAuthActiveSync -AllowBasicAuthAutodiscover -AllowBasicAuthImap:$false -AllowBasicAuthMapi -AllowBasicAuthOfflineAddressBook -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthReportingWebServices -AllowBasicAuthRest -AllowBasicAuthRpc -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices -AllowBasicAuthPowerShell

 

New-AuthenticationPolicy "Allow_Basic_Auth"

 

(Adjust according to your needs)
Set-AuthenticationPolicy -Identity “Allow_Basic_Auth” -AllowBasicAuthActiveSync:$true -AllowBasicAuthAutodiscover:$true -AllowBasicAuthImap:$true -AllowBasicAuthMapi:$true -AllowBasicAuthOfflineAddressBook:true -AllowBasicAuthOutlookService:$true -AllowBasicAuthPop:$true -AllowBasicAuthReportingWebServices -AllowBasicAuthRest -AllowBasicAuthRpc -AllowBasicAuthSmtp:$true -AllowBasicAuthWebServices:true -AllowBasicAuthPowerShell

 

To simplifiy things for my environment I manually set the users that required basic auth (I only had two)

set-user -Identity "User One" -AuthenticationPolicy "Allow_Basic_Auth"

 

To touch the user to make the policy get applied quicker

set-user -Identity "User One" -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

 

For the rest of my users

$Users = Get-User -ResultSize unlimited | Where {$_.RecipientType -eq "UserMailbox" -and $_.AuthenticationPolicy -eq $null}

$users =$users.WindowsEmailAddress

$users | %{Set-User -Identity $_ -AuthenticationPolicy “Block_Basic_Auth_Selective”}

If you want to touch the users to apply policy quicker, since the query is already in memory

$users | %{Set-User -Identity $_ -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)}


Now the following command will apply the restricted policy as the global default. (Note, when I first implemented this, the unrestricted users did not have a policy applied and as such I thought they would have no policy applied, but once the default policy was applied to the global config, it affected the unrestricted unconfigured users.)

Set-OrganizationConfig -DefaultAuthenticationPolicy “Block_Basic_Auth_Selective”


Remember, mileage will vary. Read everything you can find on Authentication Policy/ies

For us, for now, this has completely removed the issues we were having with illigitimate failed login attempts and account lockouts.
We ran into only the one issue mentioned above with the accounts that had no policy assigned and then the global policy being applied

Remember, it takes approximately 24 hours for the policy to be applied to a user unless one of the user's properties are modified

 

There is one thing I will mention, at this time, when this is applied, there is nothing logged for failed attempts that fall afoul of the blocked basic auth policy even in Azure Ad Sign-ins

  

-Gene

 

Hi eugene,

thanks for the detailed description , i will look into testing this for a cpl of affected users and then get it rolled out across the domain if all good.. we have managed to stay off some of the lockouts using the threshold settings , but still some get locked every so often , so this could do the trick for us ...
thanks again and will update in the new year as to how it all goes
paddi