Locked account due to many attempts from malicious IP

Iron Contributor

Hello experts,

 

today, a user contacted me that she cannot access M365 and asked to unlock her account. 1st thing I've checked were her log-ins in MS Entra and there I've found many and many attempts to log in from different countries - like India, Russia, Demark etc... that happened with just few seconds delay.... As a result, the user's account got blocked. Had to deal 1st time with this kind of issue.... See pictures below. 

 

sumo83_0-1706719574177.png

 

sumo83_1-1706719619315.png

 

Now, it looks like there was another user under the same attack few days ago (who is on vacation so doesnt know he is blocked for now :)).... Anyway, wondering - how I can prevent these types of attack?

 

We have MFA (app auth) configured so even if the password got broken, MFA should prevent the attacker to sign in.

 

I was going to create a conditional access but there are countries like Italy, Denmark (and other EU ones) etc that I don't want to block.

 

We have M365 E3 with M365 E5 Security subscriptions assigned to all users.

 

Would be grateful for any advise.

 

3 Replies
this looks promising... Was not aware of this feature.... If I understand that properly, it has possibility to unlock password after configured duration ... which is what I need... and have it unlocked without admin or user intervention....

Will do more research on this feature and test it ;)

ok.. So I've done some more reading on this.... and looks like SmartLockout is enabled by default? .. and to modify it, I can do it as described in the blog.... So I am not sure if that will help to modify the default settings...

I am a bit surprised that I do not see anything under "Protection > Identity Protection > Risky users , ..or Risky Sign-in"... Cant understand why - as the user's account was blocked due to lots of attempts from malicious IP. I would expect that user would be visible under Risky Users?

 

From sign-in logs, I could see that those attempts were blocked.... during the password spray attack that was going on that account for 2 days... so smart lockout was doing the job I guess.... as it was blocking it without affecting the real user.... However, due to lots of attempts from attacker, the user account got blocked anyway eventually....

 

How to protect against this?