Aug 03 2021
- last edited on
Jan 14 2022
Hello, I'm looking for a definitive, authoritative answer to what exactly entails a Azure AD login failed with the message "Sign-in was blocked because it came from an IP address with malicious activity". Errore code 50053. On the Authentication Details for the login, the Result Detail is showing "Incorrect password".
I've looked around other posts in forum but I did find only this answer https://docs.microsoft.com/en-us/answers/questions/2646/blocked-signed-in-due-to-ip-what-about-passw...
I would like to know if a login as in this case, with
- Basic info showing as Failure reason "Sign-in was blocked because it came from an IP address with malicious activity"
- Authentication details showing as Result detail "Incorrect password"
is a login with a correct password, which was reject by Azure AD because it came from a known malicious IP, or is a login with a bad password.
I need to know because in the first case the user is compromised, and I need to take action, in the second case the user is not compromised, and this is a standard bruteforce attempt I can safely ignore.
Aug 06 2021 08:20 AM
Aug 06 2021 08:21 AM
Sep 06 2021 03:22 AM
Sep 11 2021 05:23 AM
Not an authorative answer, just an observation based on 30 Tenants. We see these messages coming from all over the world (Asia seems prevalent), targeting our users with IMAP4 calls, some are bulk and block the account, some come from suspect IPs (MS machine learning we assume) and some just try 3 times per hour (to prevent blocking the account we assume). These are all Failures (we also monitor successful Logins are only from locations we expect). To block these Fails we advise to enable MFA. For those tenants that refuse to have MFA enabled (yes it happens) we disabled Basic authentication (iMap4 and Pop3 mainly) though [Set-OrganizationConfig -DefaultAuthenticationPolicy] to stop these password guessing attempts. We also did this for Tenants who are not (yet) being targeted. For new Tenants we don't give a choice anymore, MFA is included.
Oct 15 2021 02:19 PM
@c___b We mention in the following documentation:
If the correct password was used, the Authentication Details of the Sign In Logs will show "Correct password" and we will generate an Identity Protection risk detection on that sign-in.