Forum Discussion
casualbob
Jan 30, 2020Copper Contributor
Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in o...
synclan
Jul 30, 2020Copper Contributor
I have been seeing these as well around when you started seeing them.
I'm on my third ticket with MS after being informed to ignore them - the frequency and accounts that are being sprayed have increased and now it is targeting specific accounts in my tenant.
Anyone have more info on this?
casualbob
Aug 06, 2020Copper Contributor
Over 3,600 people have viewed my original post now so we're definitely not alone.
Please update us if you have any further info.
I've had 72 alerts in the last week on the handful of accounts I run and new MS IP addresses all the time so constantly having to update my rule to catch them.
- synclanSep 10, 2020Copper Contributor
I'm going to echo what others have said in this thread so far.
In my tickets with MS, they have told me to ignore these, although I don't think that's the right move.
It *seems* to be a password spray attempt, likely a dictionary based attack.ROPC = Resource Owner Password Credentials
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
BAV = Business Apps v2
I have switched from monitoring successful logins in the audit logs to monitoring the Azure based logins per MS's suggestion as the audit logs can be difficult to read with a bunch of these attempts cluttering the logs.
The only option presented to me to mitigate this was to this enable conditional access which will not work as some of these attempts are stateside. I don't want to lock down logins to the IP's for each specific user as that will be pretty difficult to manage with mobile usage.
All I can tell is that these attempts are successfully getting a token, which does not necessarily indicate a compromise, just that the attacker was able to authenticate to the service.
It is concerning to me that this is happening, that it is coming from MS based IP's, and that in the numerous tickets I have made, it's been brushed off.
Hopefully MS will address this, we are really relying here on the quality of this service and the strength of the user password, which makes me pretty uncomfortable.- NitinGangwarOct 14, 2020Copper Contributor
synclanI have also seen lots of BAV2ROPC activity for my users.
This time country is Netherlands. IP 185.222.57.165