@BdCvC 

Cheers BdCvC,

I have encountered these IPs and started ignorning them too. Added in case it helps anyone else.

Dublin Ireland
40.101.42.173
40.101.96.101
52.97.140.37
52.97.140.45
40.101.102.149

Vienna Austria
148.252.129.195
40.101.71.61
52.97.141.213

Amsterdam Holland
52.97.140.181
40.101.88.221
52.97.139.61
52.97.135.157
52.97.141.45
40.101.90.85

@casualbob 

I have been seeing these as well around when you started seeing them.

I'm on my third ticket with MS after being informed to ignore them - the frequency and accounts that are being sprayed have increased and now it is targeting specific accounts in my tenant.

Anyone have more info on this?

@synclan 

Over 3,600 people have viewed my original post now so we're definitely not alone.

Please update us if you have any further info.

I've had 72 alerts in the last week on the handful of accounts I run and new MS IP addresses all the time so constantly having to update my rule to catch them.

@Dawg098 

i was alerted by my email security company that a user had successfully logged in from The Ukraine. In Azure AD the user agent is this: User agent BAV2ROPC

So I Googled it and here we are. I see it's being called an old version of an office app login, but also pops when a user is using a VPN to stream and then logs into office365 with the VPN still on. So I haven't gotten any closer to solving this and I hope someone has some more info. I didn't hear a peep from Sentinel One or Darktrace on this

@casualbob 

I am monitoring the audit logs of a few dozen Tenants via PowerShell and see ISP = Microsoft coming from more and more locations (as MS is implementing more IP's in their Data Centers). I have excluded Microsoft* ISP's from my Alerts, as these are likely just password hackers and the logs interpret/file them as successful Logins, in stead as Attempts.

If they were truly actual logins, we would not be in business anymore :)

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

We trap many real password breaches (users are users) this way (MFA seems too expensive here), but none were ever related to ROPC instances.

Hope that helps, not a factual conclusion, just an interpretation of what we are experiencing.

@casualbob 

I'm going to echo what others have said in this thread so far.

In my tickets with MS, they have told me to ignore these, although I don't think that's the right move.

It *seems* to be a password spray attempt, likely a dictionary based attack.

ROPC = Resource Owner Password Credentials

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

BAV = Business Apps v2

I have switched from monitoring successful logins in the audit logs to monitoring the Azure based logins per MS's suggestion as the audit logs can be difficult to read with a bunch of these attempts cluttering the logs.

The only option presented to me to mitigate this was to this enable conditional access which will not work as some of these attempts are stateside. I don't want to lock down logins to the IP's for each specific user as that will be pretty difficult to manage with mobile usage.

All I can tell is that these attempts are successfully getting a token, which does not necessarily indicate a compromise, just that the attacker was able to authenticate to the service.

It is concerning to me that this is happening, that it is coming from MS based IP's, and that in the numerous tickets I have made, it's been brushed off.

Hopefully MS will address this, we are really relying here on the quality of this service and the strength of the user password, which makes me pretty uncomfortable.

@synclanI have also seen lots of BAV2ROPC activity for my users.

This time country is Netherlands. IP 185.222.57.165

And the beat goes on.

@Alicia_Shelley 

Interesting new development, UnifiedAuditLogs in Europe have failed to update UserLoggedin records since around 25/11/2020, logged a case with MS, have seen AZ auditlogs re-feed old data to unifiedauditlogs but username is not the email address but the SID, so this looks like they have a problem and a bug. I added a P1 lic to one of my 12 Tenants and checking Get-AzureADAuditSignInLogs in stead, will let you know if this is more accurate regarding the incorrectly recorded MS sites.

@BdCvC 

MS has fixed the Azure log feed into UnifiedAuditLogs last week, which gave me the opportunity to look at the Azure logs (the source logs) in depth again, which confirmed that the False Positive is already present in the Azure UserLogin logs. Unfortunately the Azure logs content itself proves no better, even worse as the (MS internal) IP lookup does not even identify/log their own datacentres (so you have something to filter on). So I am back to extracting the UnifiedAuditLog, running it by an IP lookup and ignoring ISP=Microsoft Data Centres, as these are all false positives. Have managed to catch several hacked accounts this way, if customers would only pay the eu5 extra for P1, so we can use MFA (and Registered Locations) and the likes as prevention is always better than detection after the hack has already taken place.

@BdCvC 

So does this indicate an account compromise, malicious attempts to authenticate, or false positive? Apologies for the confusion.

@Aquilius 

Hi there.

To be honest I still don't know for certain.

It appears it's ok, and MS told me it was ok, but I still don't know why it's happening.

If MS could chime in that'd be great.