Foreign O365 Invasion! Stopping the Hordes
Who in the World is Trying to get Into Your O365 Tenant?
An IT executive recently ran a report showing the company CEO trying to login from Kuala Lumpur. The only problem – that same executive was sitting in his office down the hall in New York City. The same report showed sign-in attempts across Asia, East Europe and Russia – and a handful from Nigeria. There were no company offices in any of these places.
Without such a report, IT is flying blind, and Office 365 security practices are mediocre at best. And only CoreView has this report!
Knowing how many suspicious sign-ins attempts are happening, where they are coming from, and what they are targeting is a key security best practice. Unfortunately, this is terrifically difficult work if all you have is the native O365 Admin Center from Microsoft.
Many breaches come from botnet driven, brute-force attacks on user accounts by trying different passwords combinations at segmented intervals until they gain access over time. This was the method used by the “KnockKnock” attack, which successfully targeted Office 365 system accounts. The Azure AD security monitoring and auditing reports available in CoreView provide the type of proactive, fast analysis capabilities to quickly sniff-out suspicious activities for user account signins. Identifying those hackers early on allows IT teams to quickly block those IP addresses and enable extra security to any of the accounts that are being targeted.
This is extremely helpful for distributed organizations with multiple sites and geographic locations. One enterprise organization we talked to said that they have improved their response time to block remote hacker attempts by over 500%. One customer based in the mid-western US said that they used to spend approximately 80 hours/month running their own PowerShell scripts and sifting through the piles of data to search for anomalous sign-ins across their different geographic locations. Now they spend about 10 hours/month monitoring for suspicious sign-ins and can take immediate action when they find an issue.
Here are suspicious sign-ins tracked by CoreView:
Sign-Ins From Infected Devices
This report showcases the account logins that were performed from infected devices that are now part of a botnet. We correlate IP addresses of user sign-ins against IP addresses that are known to be in contact with botnet servers. These are important to quickly identifying users infected with malware or other infestations that need immediate remediation. These reports are completely customizable.
Sign-Ins From IP Addresses With Suspicious Activity
This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity, in this case, is defined as an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.
Sign-Ins From Multiple Geographies
This report includes successful sign-ins for the same account where two sign-ins appeared to originate from different geographical regions during a specific timeframe. The report takes into consideration the time difference between the sign-ins to provide more details to the administrator so they can determine whether it was possible for the user to have traveled between those regions.
Impossible Travel Sign-Ins
These types of questionable sign-ins are identified on the basis of an “impossible travel” condition combined with an anomalous sign-in location and device. This means that a successful sign-in occurs from a single account over multiple geographic locations in overlapping time sequences. This may indicate that a hacker has successfully signed in using this account.
Protect Your O365 Tenant With CoreView
Or sign up for a personalized CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.