Access to Azure Portal from Microsoft Datacenter IP

%3CLINGO-SUB%20id%3D%22lingo-sub-3364743%22%20slang%3D%22en-US%22%3EAccess%20to%20Azure%20Portal%20from%20Microsoft%20Datacenter%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3364743%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20company's%20sentinel%20I%20detected%20some%20anormal%20activity.%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20past%203-4%20weeks%20several%20users%20tried%20to%20login%20to%20the%20Azure%20Portal%20from%20IP%20adresses%2C%20which%20belongs%20to%20a%20Microsoft%20Datacenter.%20Each%20User%20was%20used%20three-four%20times%20max.%3C%2FP%3E%3CP%3EThe%20IP%20adresses%20where%20never%20the%20same%20(except%20of%20one%20IP%20adress%20which%20was%20used%20twice).%3C%2FP%3E%3CP%3EThe%20Location%20was%20in%20the%20USA%20and%20Canada.%3C%2FP%3E%3CP%3EThe%20Login%20was%20blocked%20with%20the%20Result%20Description%20was%20either%20%22Invalid%20username%20or%20password%20or%20invalid%20on-premise%20username%20or%20password%22%20or%20%22Sign-in%20was%20blocked%20because%20it%20came%20from%20an%20IP%20address%20with%20malicious%20activity%22%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anybody%20detected%20similar%20behaviour%2C%20maybe%20in%20the%20past%3F%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20I%20described%20the%20behaviour%20detailed%20enough.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3364743%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi there!

 

In our company's sentinel I detected some anormal activity. 

In the past 3-4 weeks several users tried to login to the Azure Portal from IP adresses, which belongs to a Microsoft Datacenter. Each User was used three-four times max.

The IP adresses where never the same (except of one IP adress which was used twice).

The Location was in the USA and Canada.

The Login was blocked with the Result Description was either "Invalid username or password or invalid on-premise username or password" or "Sign-in was blocked because it came from an IP address with malicious activity" 

Has anybody detected similar behaviour, maybe in the past? 

I hope I described the behaviour detailed enough. 

 

 

0 Replies