False Positive Risky users Alerts detected with Zoom IP prefixes

%3CLINGO-SUB%20id%3D%22lingo-sub-1821588%22%20slang%3D%22en-US%22%3EFalse%20Positive%20Risky%20users%20Alerts%20detected%20with%20Zoom%20IP%20prefixes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1821588%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%26nbsp%3B%20Good%20day.%20I%26nbsp%3Bhave%20been%20observing%20a%20few%20false-positive%20Risky%20SignIn%20alerts%20involving%20a%20few%20of%20my%20company%20users%20and%20all%20these%20detections%20come%20up%20with%20a%20new%20IP%20(3.x.x.x)%20from%20the%20Zoom%20pool%20of%20addresses%20and%20SignIn%20Client%20is%3A%20ZOOMROOMS%20(ExchangeServicesClient%2F0.0.0.0)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20investigating%20the%20issue%20with%20Zoom%20and%20Microsoft%20support%2C%20it%20was%20identified%20the%20majority%20of%20our%20Zoom%20Rooms%20are%20using%20API%20calendar%20and%20generating%20the%20API%20calendar%20calls.%20This%20would%20most%20likely%20generate%20that%20log%20since%20our%20zoom%20rooms%20software%20regularly%20pulls%20information%20from%20the%20calendar%20resource%20to%20display%20on%20its%20screen.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EZoom%20advised%26nbsp%3Bto%20whitelist%20their%20IP%20ranges%20in%20Azure%20using%20conditional%20access%20policies%20but%20it%20seems%20these%20IPs%20are%20also%20being%20used%20by%20other%20clients.%26nbsp%3B%20Wondering%20if%20anyone%20had%20the%20same%20situation%20and%20added%20the%20vendor%20IPs%20Zoom%2C%20ZScaler%20to%20the%20whitelist%20in%20conditional%20access%20policies.%20I%20am%20only%20concerned%20about%20the%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20it%E2%80%99s%20Safe%20to%20whitelist%20these%20IP%20Ranges%20considering%20the%20consequences%20these%20IPs%20might%20be%20misused%20by%20intruders%20to%20bypass%20the%20security%20system%20and%20then%20access%20internal%20resources%3C%2FLI%3E%3CLI%3EThese%20IPs%20are%20being%20shared%20with%20other%20Clients%20as%20well%2C%20if%20there%20is%20any%20chance%20somebody%20can%20easily%20spoof%20these%20IP%20addresses%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1821588%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ERisky%20Users%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ezoom%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1822002%22%20slang%3D%22en-US%22%3ERe%3A%20False%20Positive%20Risky%20users%20Alerts%20detected%20with%20Zoom%20IP%20prefixes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1822002%22%20slang%3D%22en-US%22%3EI%20had%20this%20issue%20with%20a%20customer.%3CBR%20%2F%3EI%20was%20also%20told%20to%20add%20them%20to%20the%20trusted%20locations%2C%20but%20I%20didn't%20want%20to%20do%20that%20either.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20have%20to%20train%20the%20Identity%20Protection%20model.%20Each%20time%20an%20alert%20comes%20in%2C%20mark%20the%20sign-in%20as%20safe%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-risk-feedback%23how-should-i-give-risk-feedback-and-what-happens-under-the-hood%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fhowto-identity-protection-risk-feedback%23how-should-i-give-risk-feedback-and-what-happens-under-the-hood%3C%2FA%3E).%20You%20will%20see%20that%20the%20model%20doesn't%20learn%20fast.%20In%20my%20case%2C%20I%20had%20to%20do%20this%20for%20at%20least%20a%20month%2C%20but%20after%20a%20while%20these%20alerts%20will%20disappear.%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi Guys,  Good day. I have been observing a few false-positive Risky SignIn alerts involving a few of my company users and all these detections come up with a new IP (3.x.x.x) from the Zoom pool of addresses and SignIn Client is: ZOOMROOMS (ExchangeServicesClient/0.0.0.0) 

 

After investigating the issue with Zoom and Microsoft support, it was identified the majority of our Zoom Rooms are using API calendar and generating the API calendar calls. This would most likely generate that log since our zoom rooms software regularly pulls information from the calendar resource to display on its screen. 

 

Zoom advised to whitelist their IP ranges in Azure using conditional access policies but it seems these IPs are also being used by other clients.  Wondering if anyone had the same situation and added the vendor IPs Zoom, ZScaler to the whitelist in conditional access policies. I am only concerned about the below:

 

  • If it’s Safe to whitelist these IP Ranges considering the consequences these IPs might be misused by intruders to bypass the security system and then access internal resources
  • These IPs are being shared with other Clients as well, if there is any chance somebody can easily spoof these IP addresses?

Thanks

 

1 Reply
I had this issue with a customer.
I was also told to add them to the trusted locations, but I didn't want to do that either.

You have to train the Identity Protection model. Each time an alert comes in, mark the sign-in as safe (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protectio...). You will see that the model doesn't learn fast. In my case, I had to do this for at least a month, but after a while these alerts will disappear.