cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspected brute-force attack and None of the passwords attempted where previously used passwords

Jeroen_van_der_Broek
Copper Contributor

‎Feb 27 2023 11:33 AM - edited ‎Feb 27 2023 11:41 AM

‎Feb 27 2023 11:33 AM - edited ‎Feb 27 2023 11:41 AM

Suspected brute-force attack and None of the passwords attempted where previously used passwords

Suspected brute-force attack (Kerberos, NTLM) and None of the passwords attempted where previously used passwords.

 

This makes me wonder. It knows it is a password that was not used before. But did the account try to login 100x times with this password or did it do 100x times a try with 100 passwords that where not used before.


If it is the 100 tries with just 1 never used password it is possible just someone who made a typo in a script (password) for example.

 

If it was 100 different password it is a much bigger issue.

 

I can not find this the documentation how i should read this. I am also not aware if there is a option to figure this out (kusto query for example).

 

Anyone a idea?

1,876 Views
0 Likes
4 Replies
Reply
4 Replies
Matthias Vandenberghe

‎Feb 27 2023 11:24 PM

‎Feb 27 2023 11:24 PM

Re: Suspected brute-force attack and None of the passwords attempted where previously used passwords

Hi,

Seems logic this is 100 attempts with 100 different passwords.
If it was 100 times the same password against the same account, this is probably not considered a brute-force attack... This wouldn't make any sense... If the password doesn't work the first time, no attacker will try the same password 99 times more on the same account.
If it would be a password-spray attack, then an attacker might use the same password against 100 accounts.

Your message also says: "none of the passwordS"...

So it is fair to assume we are talking about a real brute-force attack where an attacker is trying 100 different passwords against the same account.
0 Likes
Reply
Jeroen_van_der_Broek

‎Feb 28 2023 08:43 AM

‎Feb 28 2023 08:43 AM

Re: Suspected brute-force attack and None of the passwords attempted where previously used passwords

I would indeed asume this based on the message/event. But then again it does not know if you try different passwords only that it is different than old known passwords. I am sure this acount is not under bruteforce attack.
0 Likes
Reply
Matthias Vandenberghe

‎Feb 28 2023 10:56 PM - edited ‎Feb 28 2023 11:04 PM

‎Feb 28 2023 10:56 PM - edited ‎Feb 28 2023 11:04 PM

Re: Suspected brute-force attack and None of the passwords attempted where previously used passwords

Sure is worth investigating :lol:
So, I guess this one you already figured out it was a script, or similar, using the wrong password... which for an AI system looks like a brute force attack...
So, this one is benign positive then :smile:

 

Guess "Suspected" is key in this case....
Microsoft Defender for Identity security alert guide - Microsoft Defender for Identity | Microsoft L...
Microsoft Defender for Identity compromised credentials phase security alerts - Microsoft Defender f...

So, it is based on authentication attempts... but i guess it doesn't compare the hashes. But then again, how would it detect a password spray, or know the password wasn't used.

 

Probably the underlaying detection algorithms will not be shared for security reasons. So lets just go with what we know:
Get an alert, investigate :lol:

0 Likes
Reply
Sruthyy

‎Apr 26 2023 04:09 AM

‎Apr 26 2023 04:09 AM

Re: Suspected brute-force attack and None of the passwords attempted where previously used passwords

Hi,

For better clarity, you need to investigate more on various possible indicators of impacted user account. In a recent update, Microsoft is rolling out a new alert for detecting password spray attacks. Utilize the below blog to identify what indicators should be monitored and how to defend against such attacks.
https://blog.admindroid.com/password-spray-attack-detection-with-new-microsoft-365-defender-alert/
0 Likes
Reply