Failed log on (Failure message: Account is locked because user tried to sign in too many times with

%3CLINGO-SUB%20id%3D%22lingo-sub-734284%22%20slang%3D%22en-US%22%3EFailed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20with%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734284%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20company%20has%20been%20experiencing%20an%20attack%20from%20China%20IP%20addresses%20(random)%20for%20a%20while%20and%20I%20can't%20seem%20to%20block%20them.%20I'm%20getting%20these%20errors%20%22%3CSPAN%3EFailed%20log%20on%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20with%20an%20incorrect%20user%20ID%20or%20password)%22%20every%20few%20days%20on%20a%20few%20of%20my%20privileged%26nbsp%3Busers.%3CBR%20%2F%3EI've%20tried%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETurning%20on%20Modern%20Authentication%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20Azure%20AD%20Enabled%20Block%20legacy%20authentication%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETurned%20off%20POP%20and%20IMAP%20access%20via%20exchange%20admin%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETurned%20on%20MFA%20for%20the%20privileged%26nbsp%3Busers%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20redacted%20(with%20*)%20source%20app%20connector%20data%20is%20below%2C%20I'm%20wondering%20if%20there%20is%20a%20way%20to%20block%26nbsp%3BOrgIdWsTrust2%3Aprocess%20or%26nbsp%3BUnknown(CBAInPROD).%20Or%20if%20there%20is%20something%20else%20I%20can%20block%20to%20stop%20this.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20for%20your%20help!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%3CBR%20%2F%3E%22UserName%22%3A%20%22%22%2C%3CBR%20%2F%3E%22MfaResult%22%3A%20null%2C%3CBR%20%2F%3E%22DeviceInfo%22%3A%20%22Unknown(CBAInPROD)%22%2C%3CBR%20%2F%3E%22LoginErrorCode%22%3A%2050053%2C%3CBR%20%2F%3E%22DeviceTrustType%22%3A%20%22%22%2C%3CBR%20%2F%3E%22IsInteractive%22%3A%20false%2C%3CBR%20%2F%3E%22Call%22%3A%20%22OrgIdWsTrust2%3Aprocess%22%2C%3CBR%20%2F%3E%22LoginStatus%22%3A%20%22Failure%22%2C%3CBR%20%2F%3E%22MfaMaskedDeviceId%22%3A%20null%2C%3CBR%20%2F%3E%22IpAddress%22%3A%20%22182.38.105.229%22%2C%3CBR%20%2F%3E%22UserTenantId%22%3A%20%22****%22%2C%3CBR%20%2F%3E%22EventType%22%3A%20%22MCASLoginEvent%22%2C%3CBR%20%2F%3E%22IsInteractiveComputed%22%3A%20null%2C%3CBR%20%2F%3E%22ApplicationId%22%3A%20%22***%22%2C%3CBR%20%2F%3E%22CorrelationId%22%3A%20%22***%22%2C%3CBR%20%2F%3E%22ApplicationName%22%3A%20%22Office%20365%22%2C%3CBR%20%2F%3E%22SasStatus%22%3A%20null%2C%3CBR%20%2F%3E%22TimeStamp%22%3A%20%222019-07-02T01%3A11%3A36.4486831Z%22%2C%3CBR%20%2F%3E%22HomeTenantUserObjectId%22%3A%20%22***%22%2C%3CBR%20%2F%3E%22MfaRequired%22%3A%20false%2C%3CBR%20%2F%3E%22RequestId%22%3A%20%22***%22%2C%3CBR%20%2F%3E%22TenantId%22%3A%20%22***%22%2C%3CBR%20%2F%3E%22MfaAuthMethod%22%3A%20null%2C%3CBR%20%2F%3E%22MfaStatusRaw%22%3A%20null%2C%3CBR%20%2F%3E%22IsDeviceCompliantAndManaged%22%3A%20false%2C%3CBR%20%2F%3E%22BrowserId%22%3A%20null%2C%3CBR%20%2F%3E%22UserTenantMsodsRegionScope%22%3A%20%22NA%22%2C%3CBR%20%2F%3E%22DataSource%22%3A%20null%2C%3CBR%20%2F%3E%22UserPrincipalObjectID%22%3A%20%22***%22%2C%3CBR%20%2F%3E%22Upn%22%3A%20%22***%22%2C%3CBR%20%2F%3E%22MsodsTenantRegionScope%22%3A%20%22NA%22%3CBR%20%2F%3E%7D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-734284%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734968%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3EThank%20you%20for%20the%20follow%20up.%20Yes%20I%20am%20seeing%20the%20logs%20in%20MCAS%2C%20unfortunately%20we%20do%20not%20have%20a%20premium%20Azure%20AD%20subscription%20so%20I%20can't%20see%20the%20logs%20in%20there.%3C%2FP%3E%3CP%3EFrom%20my%20reading%20I%20thought%20is%20was%20through%20POP%20and%20IMAP%20as%20well%20but%20I've%20disabled%20that%20in%20the%20exchange%20mail%20boxes.%20Is%20there%20somewhere%20that%20needs%20to%20be%20set%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-735745%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-735745%22%20slang%3D%22en-US%22%3E%3CP%3EEven%20without%20AAD%20Premium%2C%20you%20can%20see%20it%20on%20the%20corresponding%20user%20object's%20details%20page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDisabling%20POP%2FIMAP%20will%20not%20affect%20these%20entries%2C%20blocking%20legacy%20auth%20should%20however%2C%20so%20check%20whether%20you%20missed%20something%20on%20that%20front.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736589%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736589%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20Thank%20you%20for%20your%20continued%20help%2C%20I%20checked%20the%20Azure%20Ad%20logs%20(thank%20you%20for%20the%20tip)%20and%20saw%20that%20it%20was%20IMAP%20and%20SMTP%2C%20mostly%20SMTP.%3C%2FP%3E%3CP%3EThese%20alerts%20were%20on%207-1%20and%207-2%3C%2FP%3E%3CP%3EI%20ran%20this%20powershell%20script%20on%20all%20my%20users%20on%206-28%3C%2FP%3E%3CP%3E%24Mailboxes%20%3D%20Get-Mailbox%20-ResultSize%20Unlimited%3C%2FP%3E%3CP%3EForEach%20(%24Mailbox%20in%20%24Mailboxes)%20%7B%24Mailbox%20%7C%20Set-CASMailbox%20-PopEnabled%20%24False%20-ImapEnabled%20%24False%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20checked%20the%20account%20in%20exchange%20and%20it%20seems%20like%20it%20is%20disabled%2C%20see%20below%2C%20although%20I%20don't%20see%20a%20way%20to%20disabled%20SMTP%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20712px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122087i62AD2744B9B021EC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Spray-Issue.png%22%20title%3D%22Spray-Issue.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736877%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736877%22%20slang%3D%22en-US%22%3E%3CP%3EAgain%2C%20disabling%20legacy%20auth%20is%20your%20best%20option%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744668%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI'm%20sorry%20for%20the%20delayed%20reply%20I've%20been%20working%20with%20Microsoft%20support%20in%20hopes%20of%20getting%20this%20resolved%20but%20have%20reached%20a%20dead%20end.%20I've%20blocked%20legacy%20access%20via%20AD%20conditional%20access%20policies.%20As%20per%20earlier%20I've%20blocked%20IMAP%20and%20POP.%3C%2FP%3E%3CP%3EMicrosoft%20support%20is%20now%20telling%20me%20that%20the%20attackers%20are%20still%20able%20to%20try%20IMAP%20they%20are%20just%20not%20going%20to%20be%20able%20to%20get%20in.%20This%20is%20a%20problem%20to%20me%20as%20given%20enough%20time%20they%20will%20guess%20the%20password%20and%20have%201%20factor%20to%20log%20in.%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20anything%20else%20I%20can%20do%3F%20It%20seems%20crazy%20Microsoft%20just%20allows%20someone%20to%20keep%20trying%20on%20IMAP%20even%20though%20it%20is%20disabled.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-745326%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-745326%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what's%20happening%20in%20your%20scenario%2C%20but%20once%20I%20disabled%20legacy%20auth%20in%20my%20tenant%20I%20stopped%20seeing%20any%20such%20attempts.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-854623%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854623%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20I%20have%20exactly%20the%20same%20problem%20for%20a%20client.%26nbsp%3B%20IMAP%20and%20POP%20are%20disable%2C%20but%20when%20external%20users%20try%20to%20brute%20force%20the%20account%2C%20the%20tries%20count%20for%20the%20lockout%20for%20a%2030%20minutes...%20the%20account%20get%20locked%20out%20even%20if%20the%20IMAP%20protocol%20is%20disabled%20for%20the%20user.%26nbsp%3B%20actually%20I'm%20trying%20to%20build%20conditional%20access%20policies%20to%20block%20connections%20from%20some%20countries%20(China...).%26nbsp%3B%20The%20user%20don't%20want%20(for%20now)%20to%20start%20using%20Outlook%2C%20and%20don't%20want%20to%20hear%20about%20anything%20else%20than%20iOS%20mail%2C%20which%20only%20support%20basic%20authentication%2C%20so%20for%20now%20I%20can't%20disable%20Basic%20authentication.%26nbsp%3B%20I'm%20getting%20out%20of%20ideas.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-855341%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-855341%22%20slang%3D%22en-US%22%3E%3CP%3ECA%20policies%20and%20the%20protocol%20controls%20act%20*after*%20the%20login%2C%20that's%20why%20I%20suggested%20completely%20disabling%20legacy%20auth%20via%20authentication%20policies%20in%20Exchange%20above.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340676%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340676%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F163398%22%20target%3D%22_blank%22%3E%40Sean%20Kuchle%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20same%20issue.%3C%2FP%3E%3CP%3EDid%20you%20get%20anywhere%20with%20a%20proper%20answer%20or%20solution%20%3F%3C%2FP%3E%3CP%3EI%20have%20daily%20more%20than%20500%20login%20tries%20from%20China%2C%20US%2C%20Thailand%20etc.%20with%20failed%20login%20using%20IMAP.%3C%2FP%3E%3CP%3EFailure%20reason%26nbsp%3B%20%22%3CSPAN%3EAccount%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20with%20an%20incorrect%20user%20ID%20or%20password.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIMAP%20disable%20in%20exchange%20and%20Block%20Legacy%20Cond.%20Access%20is%20applied%2C%20how%20can%20I%20tell%20if%20we%20are%20not%20in%20trouble%20if%20I%20still%20get%2050053%20error%20when%20service%20is%20disabled%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Ethank%20you%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1341201%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1341201%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F244243%22%20target%3D%22_blank%22%3E%40LilleLars%3C%2FA%3E%26nbsp%3BAs%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bsaid%20the%20CA%20policies%20are%20only%20being%20applied%20AFTER%20succesful%20authentication%20through%20basich%20auth%20protocols%20(POP3%2C%20IMAP%2C%20SMTP%2C%20etc.).%20That's%20why%20you're%20seeing%20this%20behaviour.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETo%20eliminate%20these%20spray%20attacks%20you%20need%20to%20disable%20basic%20auth%20in%20Exchange%20Online.%20Please%20have%20a%20look%20at%20the%20following%20article%20on%20how%20to%20do%20that%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1342906%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1342906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1111%22%20target%3D%22_blank%22%3E%40Pavel%20Otych%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20Pavel%2C%20im%20testing%20now%20and%20this%20tenant%20did%20not%20have%20any%20%22authentication%20policies%22%20already.%3C%2FP%3E%3CP%3EIve%20done%20this%3A%3C%2FP%3E%3CP%3ENew-AuthenticationPolicy%20-Name%20%22Block%20Basic%20Auth%22%3CBR%20%2F%3ESet-OrganizationConfig%20-DefaultAuthenticationPolicy%20%22Block%20Basic%20Auth%22%3C%2FP%3E%3CP%3Egives%20me%20below%20result%20which%20looks%20good.%3C%2FP%3E%3CP%3EI%C2%B4ve%20waited%26nbsp%3B%2010%20hours%20and%20stille%20I%20see%20IMAP%20error%2050053%20%22account%20is%20blocked%22%20in%20the%20Sign-ins%20log%3C%2FP%3E%3CP%3EHope%20I%20did%20it%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAllowBasicAuthActiveSync%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthAutodiscover%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthImap%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthMapi%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthOfflineAddressBook%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthOutlookService%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthPop%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthReportingWebServices%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthRest%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthRpc%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthSmtp%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthWebServices%20%3A%20False%3CBR%20%2F%3EAllowBasicAuthPowershell%20%3A%20False%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1343031%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343031%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F244243%22%20target%3D%22_blank%22%3E%40LilleLars%3C%2FA%3E%26nbsp%3BThe%20steps%20you've%20done%20are%20correct%20and%20should%20be%20enough.%20If%20you're%20seeing%20this%20for%20a%20specific%20user%20account%20you%20can%20check%20he%20has%20the%20policy%20applied%20and%20run%20%22%3CSPAN%20class%3D%22hljs-pscommand%22%3EGet-User%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-Filter%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-string%22%3E%22AuthenticationPolicy%20-eq...%22%20(more%20info%20in%20the%20article)%20to%20make%20sure.%20But%20other%20than%20that%20I%20think%20you've%20done%20all%20that%20was%20needed%20and%20the%20basic%20auth%20should%20be%20blocked%20%3A(%3C%2Fimg%3E%20You%20might%20wait%20a%20bit%20longer%20and%20see%20if%20it%20works%20eventually.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-string%22%3EMaybe%20someone%20else%20has%20an%20idea.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1343069%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343069%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1111%22%20target%3D%22_blank%22%3E%40Pavel%20Otych%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Pavel%2C%20thank%20you%20!%3C%2FP%3E%3CP%3EGet-User%20-Identity%20user%40domain.com%26nbsp%3B%7C%20fl%20auth%20returns%3A%3C%2FP%3E%3CP%3EAuthenticationpolicy%20%3A%3C%2FP%3E%3CP%3EBlank%20or%20null%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20might%20be%20because%20its%20the%20default%20auth%20policy%20%3F%20as%20I%20see%20in%20this%20uservoice%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F38070442-get-user-does-not-show-default-authentication-poli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F38070442-get-user-does-not-show-default-authentication-poli%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1343099%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343099%22%20slang%3D%22en-US%22%3EIt's%20normal%20you%20don't%20see%20it%20that%20way%20as%20you%20have%20added%20it%20as%20a%20default%20policy.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20experienced%20the%20same%20and%20contact%20Microsoft%20for%20that.%3CBR%20%2F%3EThey%20informed%20me%20that%20Authentication%20Policies%20are%20unreliable%20and%20CA%20should%20be%20used.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don't%20like%20that%20response%2C%20but%20it's%20the%20one%20I%20got%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20recommend%20adding%20the%20authentication%20policy%20and%20setting%20up%20CA%20to%20block%20the%20signins%20that%20aren't%20stopped%20by%20auth%20policies.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1343112%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343112%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%3C%2FP%3E%3CP%3Eok%20I%20will%20leave%20it%20as%20I%C2%B4ve%20done%20now%20and%20follow%20the%20sign-ins%20log%20here.%3C%2FP%3E%3CP%3EThank%20you%20all!%3C%2FP%3E%3CP%3Ehave%20a%20nice%20day%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734871%22%20slang%3D%22en-US%22%3ERe%3A%20Failed%20log%20on%20(Failure%20message%3A%20Account%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20w%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734871%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20looking%20at%20the%20MCAS%20logs%3F%20Those%20arrive%20with%20some%20delay%2C%20best%20check%20directly%20against%20the%20Azure%20AD%20sign-in%20logs.%20The%20settings%20you've%20configured%20should%20be%20enough%20to%20prevent%20this%20type%20of%20attack%2C%20which%20is%20usually%20brute-forcing%20credentials%20via%20POP%2FIMAP.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

My company has been experiencing an attack from China IP addresses (random) for a while and I can't seem to block them. I'm getting these errors "Failed log on (Failure message: Account is locked because user tried to sign in too many times with an incorrect user ID or password)" every few days on a few of my privileged users.
I've tried

Turning on Modern Authentication

In Azure AD Enabled Block legacy authentication

Turned off POP and IMAP access via exchange admin

Turned on MFA for the privileged users

 

The redacted (with *) source app connector data is below, I'm wondering if there is a way to block OrgIdWsTrust2:process or Unknown(CBAInPROD). Or if there is something else I can block to stop this.

Thanks for your help!

 

{
"UserName": "",
"MfaResult": null,
"DeviceInfo": "Unknown(CBAInPROD)",
"LoginErrorCode": 50053,
"DeviceTrustType": "",
"IsInteractive": false,
"Call": "OrgIdWsTrust2:process",
"LoginStatus": "Failure",
"MfaMaskedDeviceId": null,
"IpAddress": "182.38.105.229",
"UserTenantId": "****",
"EventType": "MCASLoginEvent",
"IsInteractiveComputed": null,
"ApplicationId": "***",
"CorrelationId": "***",
"ApplicationName": "Office 365",
"SasStatus": null,
"TimeStamp": "2019-07-02T01:11:36.4486831Z",
"HomeTenantUserObjectId": "***",
"MfaRequired": false,
"RequestId": "***",
"TenantId": "***",
"MfaAuthMethod": null,
"MfaStatusRaw": null,
"IsDeviceCompliantAndManaged": false,
"BrowserId": null,
"UserTenantMsodsRegionScope": "NA",
"DataSource": null,
"UserPrincipalObjectID": "***",
"Upn": "***",
"MsodsTenantRegionScope": "NA"
}

 

 

16 Replies

Are you looking at the MCAS logs? Those arrive with some delay, best check directly against the Azure AD sign-in logs. The settings you've configured should be enough to prevent this type of attack, which is usually brute-forcing credentials via POP/IMAP.

@Vasil MichevThank you for the follow up. Yes I am seeing the logs in MCAS, unfortunately we do not have a premium Azure AD subscription so I can't see the logs in there.

From my reading I thought is was through POP and IMAP as well but I've disabled that in the exchange mail boxes. Is there somewhere that needs to be set?

Even without AAD Premium, you can see it on the corresponding user object's details page.

 

Disabling POP/IMAP will not affect these entries, blocking legacy auth should however, so check whether you missed something on that front.

@Vasil Michev  Thank you for your continued help, I checked the Azure Ad logs (thank you for the tip) and saw that it was IMAP and SMTP, mostly SMTP.

These alerts were on 7-1 and 7-2

I ran this powershell script on all my users on 6-28

$Mailboxes = Get-Mailbox -ResultSize Unlimited

ForEach ($Mailbox in $Mailboxes) {$Mailbox | Set-CASMailbox -PopEnabled $False -ImapEnabled $False }

 

I checked the account in exchange and it seems like it is disabled, see below, although I don't see a way to disabled SMTPSpray-Issue.png

Again, disabling legacy auth is your best option here.

@Vasil Michev I'm sorry for the delayed reply I've been working with Microsoft support in hopes of getting this resolved but have reached a dead end. I've blocked legacy access via AD conditional access policies. As per earlier I've blocked IMAP and POP.

Microsoft support is now telling me that the attackers are still able to try IMAP they are just not going to be able to get in. This is a problem to me as given enough time they will guess the password and have 1 factor to log in.

Does anyone know anything else I can do? It seems crazy Microsoft just allows someone to keep trying on IMAP even though it is disabled.

Not sure what's happening in your scenario, but once I disabled legacy auth in my tenant I stopped seeing any such attempts. 

@Vasil Michev  I have exactly the same problem for a client.  IMAP and POP are disable, but when external users try to brute force the account, the tries count for the lockout for a 30 minutes... the account get locked out even if the IMAP protocol is disabled for the user.  actually I'm trying to build conditional access policies to block connections from some countries (China...).  The user don't want (for now) to start using Outlook, and don't want to hear about anything else than iOS mail, which only support basic authentication, so for now I can't disable Basic authentication.  I'm getting out of ideas.

CA policies and the protocol controls act *after* the login, that's why I suggested completely disabling legacy auth via authentication policies in Exchange above.

@Sean Kuchle 

I have the same issue.

Did you get anywhere with a proper answer or solution ?

I have daily more than 500 login tries from China, US, Thailand etc. with failed login using IMAP.

Failure reason  "Account is locked because user tried to sign in too many times with an incorrect user ID or password."

IMAP disable in exchange and Block Legacy Cond. Access is applied, how can I tell if we are not in trouble if I still get 50053 error when service is disabled ?

thank you

@LilleLars As @Vasil Michev said the CA policies are only being applied AFTER succesful authentication through basich auth protocols (POP3, IMAP, SMTP, etc.). That's why you're seeing this behaviour. 

 

To eliminate these spray attacks you need to disable basic auth in Exchange Online. Please have a look at the following article on how to do that: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

@Pavel Otych 

Thank you Pavel, im testing now and this tenant did not have any "authentication policies" already.

Ive done this:

New-AuthenticationPolicy -Name "Block Basic Auth"
Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth"

gives me below result which looks good.

I´ve waited  10 hours and stille I see IMAP error 50053 "account is blocked" in the Sign-ins log

Hope I did it correct?

 

AllowBasicAuthActiveSync : False
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : False
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : False
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : False
AllowBasicAuthPowershell : False

 

@LilleLars The steps you've done are correct and should be enough. If you're seeing this for a specific user account you can check he has the policy applied and run "Get-User -Filter "AuthenticationPolicy -eq..." (more info in the article) to make sure. But other than that I think you've done all that was needed and the basic auth should be blocked :( You might wait a bit longer and see if it works eventually. Maybe someone else has an idea.

 

 

@Pavel Otych 

Hi Pavel, thank you !

Get-User -Identity user@domain.com | fl auth returns:

Authenticationpolicy :

Blank or null ?

 

it might be because its the default auth policy ? as I see in this uservoice:

https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/38070442-ge...

 

 

It's normal you don't see it that way as you have added it as a default policy.

I have experienced the same and contact Microsoft for that.
They informed me that Authentication Policies are unreliable and CA should be used.

I don't like that response, but it's the one I got :)

I recommend adding the authentication policy and setting up CA to block the signins that aren't stopped by auth policies.

@Thijs Lecomte

ok I will leave it as I´ve done now and follow the sign-ins log here.

Thank you all!

have a nice day