Jan 30 2020
12:52 AM
- last edited on
Feb 10 2023
02:23 PM
by
TechCommunityAP
Jan 30 2020
12:52 AM
- last edited on
Feb 10 2023
02:23 PM
by
TechCommunityAP
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in originated from.
Until the end of 2019, all IP addresses were expected, either being that of the office, the Vodafone mobile network or the home addresses of the sales guys.
In 2020, I have started getting log in alerts, which according to https://whatismyipaddress.com/ are from Microsoft Datacentres in Ireland, Holland and Austria, all with "Microsoft Corporation" as the ISP and sometimes with the same for the Organisation and sometimes with "Microsoft Azure". e.g 40.101.88.221 (Amsterdam), 40.101.102.149 (Dublin).
Worried about potential breaches, I contacted Microsoft Support (who by the way are always ON IT, thank you) who helped me find info in the audit log to say the User Agent is BAV2ROPC, which lead me to this page https://www.reddit.com/r/Office365/comments/bl90gw/bav2ropc_user_agent_in_logs/ where someone's found it means "Business Apps v2 Resource Owner Password Credential", which is apparently the User Agent for an updated version of Outlook Mobile.
I have a couple of questions / observations and wondered if anyone could shed any light on this.
1) My users don't know their passwords so it's highly unlikely they've been phished, so I don't think these are breaches.
2) My email account has triggered log ins from Microsoft IP addresses, and I have 2 factor authentication turned on where I received a text message code to my mobile. I have not received texts in relation to these logins, so again I don't think it's a breach.
3) I don't use Microsoft Outlook on my mobile, so don't think I'd be generating this BAV2ROPC user agent (but I am on the Activity Alerts).
4) If it was a device I was using causing this user agent, why aren't the Activity Alerts logging my IP address from my device's location?
5) My account is used to sign in programatically in a piece of software I wrote, so that could explain it for my account, but I'm also getting alerts for users who only access their email on their android phone on the built in email app.
6) The frequency I'm receiving Activity Alerts from Microsoft IP addresses is increasing. I get a few a day now.
In summary, I don't think there's anything untoward goin on, but as a responsible admin, I'ld like to understand exactly what's occuring.
Many thanks,
Dave
Mar 06 2020 08:08 AM
I see this has had over 400 views now but no replies. If you're looking at this, would you mind dropping a note and letting me know why you eneded up on this page? Are you experiencing the same thing? It's increased quite a lot since I posted this and no one can give me an answer as to why it's happening. Cheers.
Mar 10 2020 08:15 PM
Starting seeing this since 2/10/2020, even on account that are "Sign in blocked" since last year.
Today, one of the user was logged in by this account and then 1 hour letter, we internally received phishing email from this user.
We monitored login closely and this user had no sign of credential being compromised because all logins in the past 30 days are from proper device and IP address, only 1 incident that is using this agent today.
UserLoggedIn | 2020-03-11T00:36:50 | BAV2ROPC | 52.96.3.197 | Microsoft Corporation | San Jose | California | United States |
This sounds MS datacenter being compromised or what?
Apr 02 2020 07:17 AM
I have started ignoring below sources, as I could not link them to password hacks. They also appeared for users I deleted ages ago, and the logs still say a successful UserLogin, so may be an internal error.
ID IP Description RegionName Country
30 40.101.126.245 Microsoft Germany
31 40.101.71.117 Microsoft Austria
32 40.101.124.253 Microsoft Netherlands
33 40.101.100.133 Microsoft United States
34 40.101.126.173 Microsoft Finland
35 52.98.40.37 Microsoft South Korea
The number of actual hacked accounts appear to become smaller in Q1 2020, we still see a few occasionally but not as much as Q3 and Q4 last year.
Apr 02 2020 07:20 AM
Cheers BdCvC,
I have encountered these IPs and started ignorning them too. Added in case it helps anyone else.
Dublin Ireland
40.101.42.173
40.101.96.101
52.97.140.37
52.97.140.45
40.101.102.149
Vienna Austria
148.252.129.195
40.101.71.61
52.97.141.213
Amsterdam Holland
52.97.140.181
40.101.88.221
52.97.139.61
52.97.135.157
52.97.141.45
40.101.90.85
Jul 30 2020 03:13 PM
I have been seeing these as well around when you started seeing them.
I'm on my third ticket with MS after being informed to ignore them - the frequency and accounts that are being sprayed have increased and now it is targeting specific accounts in my tenant.
Anyone have more info on this?
Aug 06 2020 01:20 AM
Over 3,600 people have viewed my original post now so we're definitely not alone.
Please update us if you have any further info.
I've had 72 alerts in the last week on the handful of accounts I run and new MS IP addresses all the time so constantly having to update my rule to catch them.
Sep 02 2020 09:54 AM
We have seen the exact same behavior a couple of times now, both were for user accounts that were removed several years ago. The latest was for a user that left in 2010. The IP's are showing as MS Data Centers in South Korea and Dublin.
Sep 08 2020 01:27 PM
i was alerted by my email security company that a user had successfully logged in from The Ukraine. In Azure AD the user agent is this: User agent BAV2ROPC
So I Googled it and here we are. I see it's being called an old version of an office app login, but also pops when a user is using a VPN to stream and then logs into office365 with the VPN still on. So I haven't gotten any closer to solving this and I hope someone has some more info. I didn't hear a peep from Sentinel One or Darktrace on this
Sep 08 2020 02:02 PM
I am monitoring the audit logs of a few dozen Tenants via PowerShell and see ISP = Microsoft coming from more and more locations (as MS is implementing more IP's in their Data Centers). I have excluded Microsoft* ISP's from my Alerts, as these are likely just password hackers and the logs interpret/file them as successful Logins, in stead as Attempts.
If they were truly actual logins, we would not be in business anymore 🙂
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
We trap many real password breaches (users are users) this way (MFA seems too expensive here), but none were ever related to ROPC instances.
Hope that helps, not a factual conclusion, just an interpretation of what we are experiencing.
Sep 10 2020 09:12 AM
I'm going to echo what others have said in this thread so far.
In my tickets with MS, they have told me to ignore these, although I don't think that's the right move.
It *seems* to be a password spray attempt, likely a dictionary based attack.
ROPC = Resource Owner Password Credentials
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
BAV = Business Apps v2
I have switched from monitoring successful logins in the audit logs to monitoring the Azure based logins per MS's suggestion as the audit logs can be difficult to read with a bunch of these attempts cluttering the logs.
The only option presented to me to mitigate this was to this enable conditional access which will not work as some of these attempts are stateside. I don't want to lock down logins to the IP's for each specific user as that will be pretty difficult to manage with mobile usage.
All I can tell is that these attempts are successfully getting a token, which does not necessarily indicate a compromise, just that the attacker was able to authenticate to the service.
It is concerning to me that this is happening, that it is coming from MS based IP's, and that in the numerous tickets I have made, it's been brushed off.
Hopefully MS will address this, we are really relying here on the quality of this service and the strength of the user password, which makes me pretty uncomfortable.
Oct 13 2020 05:43 PM
@synclanI have also seen lots of BAV2ROPC activity for my users.
This time country is Netherlands. IP 185.222.57.165
Oct 21 2020 04:05 PM
@casualbob 11K views and yet still no official address of what is going on here
Oct 29 2020 07:20 PM
And the beat goes on.
Nov 12 2020 09:32 AM
Nov 12 2020 02:15 PM
Interesting new development, UnifiedAuditLogs in Europe have failed to update UserLoggedin records since around 25/11/2020, logged a case with MS, have seen AZ auditlogs re-feed old data to unifiedauditlogs but username is not the email address but the SID, so this looks like they have a problem and a bug. I added a P1 lic to one of my 12 Tenants and checking Get-AzureADAuditSignInLogs in stead, will let you know if this is more accurate regarding the incorrectly recorded MS sites.
Nov 24 2020 07:11 AM
@casualbob Interesting thing for my environment is that this activity is only showing for one specific account consistently. This login behavior is not showing for any other user.
Nov 24 2020 07:29 AM
MS has fixed the Azure log feed into UnifiedAuditLogs last week, which gave me the opportunity to look at the Azure logs (the source logs) in depth again, which confirmed that the False Positive is already present in the Azure UserLogin logs. Unfortunately the Azure logs content itself proves no better, even worse as the (MS internal) IP lookup does not even identify/log their own datacentres (so you have something to filter on). So I am back to extracting the UnifiedAuditLog, running it by an IP lookup and ignoring ISP=Microsoft Data Centres, as these are all false positives. Have managed to catch several hacked accounts this way, if customers would only pay the eu5 extra for P1, so we can use MFA (and Registered Locations) and the likes as prevention is always better than detection after the hack has already taken place.
Nov 24 2020 08:05 AM
So does this indicate an account compromise, malicious attempts to authenticate, or false positive? Apologies for the confusion.
Nov 24 2020 08:09 AM
Hi there.
To be honest I still don't know for certain.
It appears it's ok, and MS told me it was ok, but I still don't know why it's happening.
If MS could chime in that'd be great.