cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Users with leaked credentials

Peter Nicholson
Copper Contributor

‎Sep 11 2017 08:00 AM

‎Sep 11 2017 08:00 AM

Users with leaked credentials

Can anyone tell me the logic used in this report? We have a situation where I need to prove one of our users performed a certain action as listed in our 365 audit logs. An obvious argument is that if their account was compromised, it may have been done by a third party using their credentials.

 

Their account does not appear in this report, so my question is - How much stock can I put in the fact that they do not appear in this report?

7,229 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Peter Nicholson (Copper Contributor)
Cian Allner

‎Sep 11 2017 10:03 AM

‎Sep 11 2017 10:03 AM

Solution

Re: Users with leaked credentials

Not sure it will help but here is the official explanation of leaked credentials and how Microsoft matches one of these users:

 

"When cybercriminals compromise valid passwords of legitimate users, the criminals often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market. The Microsoft leaked credentials service acquires username / password pairs by monitoring public and dark web sites and by working with:

 

  • Researchers
  • Law enforcement
  • Security teams at Microsoft
  • Other trusted sources

When the service acquires username / password pairs, they are checked against AAD users' current valid credentials. When a match is found, it means that a user's password has been compromised, and a leaked credentials risk event is created."

 

This is from here by the way.  This isn't foolproof, it's just what Microsoft can acquire and potentially match.

2 Likes
Reply
Jon_I999

‎Jan 11 2019 07:17 AM

‎Jan 11 2019 07:17 AM

Re: Users with leaked credentials

In this statement

 

"When the service acquires username / password pairs, they are checked against AAD users' current valid credentials. When a match is found, it means that a user's password has been compromised, and a leaked credentials risk event is created."

 

Does this mean that they are actually comparing passwords / hashes of those found with those in an organisations AD, or are they just matching the username with ones found on lists, and from that deciding the creds are blown?

 

If they are accessing an organisations Azure password hashes that sounds bad.  If they are not then it sounds like a pretty basic service?

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Peter Nicholson (Copper Contributor)
Cian Allner

‎Sep 11 2017 10:03 AM

‎Sep 11 2017 10:03 AM

Solution

Re: Users with leaked credentials

Not sure it will help but here is the official explanation of leaked credentials and how Microsoft matches one of these users:

 

"When cybercriminals compromise valid passwords of legitimate users, the criminals often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market. The Microsoft leaked credentials service acquires username / password pairs by monitoring public and dark web sites and by working with:

 

  • Researchers
  • Law enforcement
  • Security teams at Microsoft
  • Other trusted sources

When the service acquires username / password pairs, they are checked against AAD users' current valid credentials. When a match is found, it means that a user's password has been compromised, and a leaked credentials risk event is created."

 

This is from here by the way.  This isn't foolproof, it's just what Microsoft can acquire and potentially match.

View solution in original post

2 Likes
Reply