AD Suspicious Sign-in Activity
While hackers have targeted Microsoft products and services for decades, the growth in brute-force login and phishing attacks has made Office 365 a primary target. Now that Office 365 has become the Microsoft’s fastest-growing offering and the breaches coming from e-mail and misused identities continue to accelerate, it’s essential that Office 365 administrators take proactive steps to continuously monitor sign-in activity and “hack-proof” their environments.
This blog is a continuation of our series describing CoreView functionality that empowers administrators to perform security monitoring, and forensic analysis for Office 365 events, plus the security features to provide automated alerts for known security risks. This topic covers the specific functionality for Active Directory (AD) auditing and reporting to monitor suspicious sign-in activity.
The Azure AD security monitoring and auditing reports available in CoreView provide the proactive, bloodhound type trail to sniff-out suspicious activities for user account log-ins. Many security breaches come from botnet driven brute-force attacks on user accounts by trying different password combinations until they gain access over time. This was the method used by the “KnockKnock” attack reported last summer which targeted Office 365 system accounts. Add to this the new ShurL0ckr type attacks in 2018 that infect OneDrive collaborate storage folders, and you can see how IT admins have their hands full with monitoring security breaches and infestations.
Monitoring suspicious sign-in activities on user accounts has quickly become a critical security task for IT administrators responsible for managing Office 365. The customizable reports from CoreView enable IT admins to easily monitor these suspicious activities, identify who performed the sign-in, when it happened, and from what geographic location (which IP address). This is extremely helpful for distributed organizations with multiple sites and geographic locations. The anomalous AD activity reports combine suspicious sign-in details from the following categories:
- Sign-ins from unknown sources
- Sign-ins after multiple failures
- Sign-ins from multiple geographies in the same days/weeks
- Sign-ins from IP addresses with suspicious activity
- Sign-ins from possibly infected devices
- Irregular sign-in activity
(Example of security auditing report for sign-in failure activity)
**Note: CoreView also enables the configuration of automated alerts for a specific suspicious sign-in activity. Using this model an IT admin will be notified immediately when any of these security issues occur.
Listed below are more detailed descriptions of the different suspicious sign-in categories and examples of the reports shown in CoreView.
Sign-ins from infected devices
This report will showcase the account logins that were performed from infected devices and are now part of a botnet. We correlate IP addresses of user sign-ins against IP addresses that are known to be in contact with botnet servers. These are important to quickly identify users infected with Malware or other infestations that need immediate remediation. These reports are completely customizable. By clicking on the ‘Columns’ drop-down menu, you can add or remove information from the report. The columns can also be filtered to include the exact subset of information you wish to monitor. And, as with any report in CoreView, it can be easily exported, saved, printed, or scheduled for distribution to run at a specific time along with the applied changes and filters.
(Example of suspicious sign-in from an infected device)
**Note: This report flags IP addresses, not user devices. We recommend that you contact the user and scan all the user’s devices to be certain. It is also possible that a user’s personal device is infected, or that someone using the same IP address as the user has an infected device. For more information about how to address malware infections, see the Malware Protection Center.
Sign-ins from IP addresses with suspicious activity
This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity in this case is defined to be an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.
Sign-ins from multiple geographies
This report includes successful sign-ins for the same account where two sign-ins appeared to originate from different geographical regions during a specific timeframe. The report takes into consideration the time difference between the sign-ins to provide more details to the administrator so they can determine whether it was possible for the user to have traveled between those regions.
There may be different causes for these occurrences:
- User is sharing their password with other colleagues (shared, business mailbox)
- User has a remote desktop to launch a web browser for sign-in
- A hacker has signed in from a different country
- User has a VPN or proxy
- User is signed in from multiple devices at the same time, such as a desktop and a mobile phone, and the IP address of the mobile phone is unusual.
This report will showcase the successful sign-in events, along with the time between the sign-ins, the regions where the sign-ins appeared to originate from, and the estimated travel time between those regions.
(Example of suspicious sign-in failures from different geographic locations)
Impossible Travel Sign-ins
These type of questionable sign-ins are identified on the basis of an “impossible travel” condition combined with an anomalous sign-in location and device. This means that a successful sign-in occurs from a single account over multiple geographic locations in overlapping time sequences. This may indicate that a hacker has successfully signed in using this account.
(Example of suspicious sign-in activity report showing irregular logins)
There you have it. If you are looking for a security bloodhound to monitor and track down suspicious sign-in activity, then CoreView is the solution you need. If you are interested in finding out more about our CoreView solution and how it can help with security compliance audits, perform security alerts, and cut your administration time in half, please visit our overview page online, or sign-up for a demo at https://www.coreview.com/request-a-demo/.