Forum Discussion
Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in originated from.
Until the end of 2019, all IP addresses were expected, either being that of the office, the Vodafone mobile network or the home addresses of the sales guys.
In 2020, I have started getting log in alerts, which according to https://whatismyipaddress.com/ are from Microsoft Datacentres in Ireland, Holland and Austria, all with "Microsoft Corporation" as the ISP and sometimes with the same for the Organisation and sometimes with "Microsoft Azure". e.g 40.101.88.221 (Amsterdam), 40.101.102.149 (Dublin).
Worried about potential breaches, I contacted Microsoft Support (who by the way are always ON IT, thank you) who helped me find info in the audit log to say the User Agent is BAV2ROPC, which lead me to this page https://www.reddit.com/r/Office365/comments/bl90gw/bav2ropc_user_agent_in_logs/ where someone's found it means "Business Apps v2 Resource Owner Password Credential", which is apparently the User Agent for an updated version of Outlook Mobile.
I have a couple of questions / observations and wondered if anyone could shed any light on this.
1) My users don't know their passwords so it's highly unlikely they've been phished, so I don't think these are breaches.
2) My email account has triggered log ins from Microsoft IP addresses, and I have 2 factor authentication turned on where I received a text message code to my mobile. I have not received texts in relation to these logins, so again I don't think it's a breach.
3) I don't use Microsoft Outlook on my mobile, so don't think I'd be generating this BAV2ROPC user agent (but I am on the Activity Alerts).
4) If it was a device I was using causing this user agent, why aren't the Activity Alerts logging my IP address from my device's location?
5) My account is used to sign in programatically in a piece of software I wrote, so that could explain it for my account, but I'm also getting alerts for users who only access their email on their android phone on the built in email app.
6) The frequency I'm receiving Activity Alerts from Microsoft IP addresses is increasing. I get a few a day now.
In summary, I don't think there's anything untoward goin on, but as a responsible admin, I'ld like to understand exactly what's occuring.
Many thanks,
Dave
Starting seeing this since 2/10/2020, even on account that are "Sign in blocked" since last year.
Today, one of the user was logged in by this account and then 1 hour letter, we internally received phishing email from this user.
We monitored login closely and this user had no sign of credential being compromised because all logins in the past 30 days are from proper device and IP address, only 1 incident that is using this agent today.
UserLoggedIn 2020-03-11T00:36:50 BAV2ROPC 52.96.3.197 Microsoft Corporation San Jose California United States This sounds MS datacenter being compromised or what?
I have started ignoring below sources, as I could not link them to password hacks. They also appeared for users I deleted ages ago, and the logs still say a successful UserLogin, so may be an internal error.
ID IP Description RegionName Country
30 40.101.126.245 Microsoft Germany
31 40.101.71.117 Microsoft Austria
32 40.101.124.253 Microsoft Netherlands
33 40.101.100.133 Microsoft United States
34 40.101.126.173 Microsoft Finland
35 52.98.40.37 Microsoft South KoreaThe number of actual hacked accounts appear to become smaller in Q1 2020, we still see a few occasionally but not as much as Q3 and Q4 last year.
Cheers BdCvC,
I have encountered these IPs and started ignorning them too. Added in case it helps anyone else.
Dublin Ireland
40.101.42.173
40.101.96.101
52.97.140.37
52.97.140.45
40.101.102.149Vienna Austria
148.252.129.195
40.101.71.61
52.97.141.213Amsterdam Holland
52.97.140.181
40.101.88.221
52.97.139.61
52.97.135.157
52.97.141.45
40.101.90.85I am monitoring the audit logs of a few dozen Tenants via PowerShell and see ISP = Microsoft coming from more and more locations (as MS is implementing more IP's in their Data Centers). I have excluded Microsoft* ISP's from my Alerts, as these are likely just password hackers and the logs interpret/file them as successful Logins, in stead as Attempts.
If they were truly actual logins, we would not be in business anymore 🙂
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
We trap many real password breaches (users are users) this way (MFA seems too expensive here), but none were ever related to ROPC instances.
Hope that helps, not a factual conclusion, just an interpretation of what we are experiencing.
i was alerted by my email security company that a user had successfully logged in from The Ukraine. In Azure AD the user agent is this: User agent BAV2ROPC
So I Googled it and here we are. I see it's being called an old version of an office app login, but also pops when a user is using a VPN to stream and then logs into office365 with the VPN still on. So I haven't gotten any closer to solving this and I hope someone has some more info. I didn't hear a peep from Sentinel One or Darktrace on this
And the beat goes on.
- 20.190.128.80 Microsoft San Antonio, TX as well.
I see this has had over 400 views now but no replies. If you're looking at this, would you mind dropping a note and letting me know why you eneded up on this page? Are you experiencing the same thing? It's increased quite a lot since I posted this and no one can give me an answer as to why it's happening. Cheers.
