Reading time:
3 min

Foreign O365 Invasion! Stopping the Hordes


Who in the World is Trying to get Into Your O365 Tenant?

An IT executive recently ran a report showing the company CEO trying to login from Kuala Lumpur. The only problem – that same executive was sitting in his office down the hall in New York City. The same report showed sign-in attempts across Asia, East Europe and Russia – and a handful from Nigeria. There were no company offices in any of these places.

Without such a report, IT is flying blind, and Office 365 security practices are mediocre at best. And only CoreView has this report!

Knowing how many suspicious sign-ins attempts are happening, where they are coming from, and what they are targeting is a key security best practice. Unfortunately, this is terrifically difficult work if all you have is the native O365 Admin Center from Microsoft.

Many breaches come from botnet driven, brute-force attacks on user accounts by trying different passwords combinations at segmented intervals until they gain access over time. This was the method used by the “KnockKnock” attack, which successfully targeted Office 365 system accounts. The Azure AD security monitoring and auditing reports available in CoreView provide the type of proactive, fast analysis capabilities to quickly sniff-out suspicious activities for user account signins. Identifying those hackers early on allows IT teams to quickly block those IP addresses and enable extra security to any of the accounts that are being targeted.

This is extremely helpful for distributed organizations with multiple sites and geographic locations. One enterprise organization we talked to said that they have improved their response time to block remote hacker attempts by over 500%. One customer based in the mid-western US said that they used to spend approximately 80 hours/month running their own PowerShell scripts and sifting through the piles of data to search for anomalous sign-ins across their different geographic locations. Now they spend about 10 hours/month monitoring for suspicious sign-ins and can take immediate action when they find an issue.

Here are suspicious sign-ins tracked by CoreView:

s From Infected Devices

This report showcases the account logins that were performed from infected devices that are now part of a botnet. We correlate IP addresses of user sign-ins against IP addresses that are known to be in contact with botnet servers. These are important to quickly identifying users infected with malware or other infestations that need immediate remediation. These reports are completely customizable.

s From IP Addresses With Suspicious Activity

This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity, in this case, is defined as an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.

s From Multiple Geographies

This report includes successful sign-ins for the same account where two sign-ins appeared to originate from different geographical regions during a specific timeframe. The report takes into consideration the time difference between the sign-ins to provide more details to the administrator so they can determine whether it was possible for the user to have traveled between those regions.

Impossible Travel Sign-Ins

These types of questionable sign-ins are identified on the basis of an “impossible travel” condition combined with an anomalous sign-in location and device. This means that a successful sign-in occurs from a single account over multiple geographic locations in overlapping time sequences. This may indicate that a hacker has successfully signed in using this account.

Protect Your O365 Tenant With CoreView

Get your O365 security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page:

Or sign up for a personalized CoreView demo.


See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.