Get a demo

What does this detection mean?

You’ve received a cloud detection alert indicating that a user’s account in your environment has been potentially breached. We suspect that a malicious actor has successfully logged into the account and has full access to anything in O365 that the legitimate user has permissions to do.

How do we know the login is suspicious? 

This alert is the result of a machine learning detection that looks for successful logins that deviate from a user’s typical login behavior and may coincide with a brute force or password spray attack.

What does the confidence value represent?

This represents the likelihood that the detection is, in fact, malicious. Each authentication event that is detected is labeled with a probability of LOW, MEDIUM, or HIGH. In the case that the multiple authentication events were detected as malicious for a given user account, we report the highest probability of the individual detections.

What are 24-hour statistics?

These are statistics that are useful for understanding whether the account in question was targeted by a high-volume login attack (e.g., brute-force) in the past 24 hours. High values are generally more suspicious than low values, but what constitutes normal behavior will, of course, vary from account to account. 

Account lock-out errors indicate that Microsoft locked the account because there were too many attempted logins with incorrect credentials. Invalid credential errors indicate that invalid or expired credentials were used in a login attempt. In the Audit Log Search, lock-out errors and invalid credential errors are identified by the codes IdsLocked and InvalidUserNameOrPassword, respectively, in the LogonError field.

How do I interpret the table of successful login events?

These show pertinent information for up to 3 login events that were detected as suspicious. We recommend checking with the user as to whether or not these were legitimate.

What if the geolocation on the detection from ActZero is not the same as that from Microsoft?

IP geolocation is not an exact science. There is no central registry of IP to city or country. There are services that attempt to do this, but every service has some degree of inaccuracy as well as delays in updating new IP registrations.

What makes the IP Malicious?

The IP used in this session is on a database of known malicious IPs. This means the IP has been found to be the source of other malicious activity, such as phishing. This may have been due to a one-time event, due to the ongoing malicious nature of the users of this IP, or in rare cases, a misclassification.

How do I investigate if an alert is a legitimate threat?

We recommend you take the following steps to investigate whether or not the detection represents a legitimate threat.

  1. User Confirmation: Ask the user if the detected login events were legitimate.

 

  1. Assess the 24-hour login counts: These statistics, which are explained above, are meant to give you a sense of whether the account has been the target of a login attack. If the values are abnormal for this account, it suggests malicious activity.

 

  1. Check that the logins were, in fact, successful: The detected logins may appear as failures to you if you have Conditional Access Rules enabled (see below for more information). To check if the logins were successful, verify via an audit log search in the Microsoft Security & Compliance Center. Detailed instructions are available in Microsoft’s Search the audit log in the compliance center knowledgebase article

 

  1. Other User Activity: Did the affected user do anything else suspicious in the past 24 hours? Filter the Unified Audit Log for the specific user in the last 24 hours with an Audit Log Search under the Security & Compliance Center. Similarly, you can look for suspicious activity in other O365 accounts. 

 

What if I see the login attempts on my side as failures?

Microsoft has a detection mechanism called Conditional Access Rules that will block connections that match specific rules. This is often done post login. What this means is that the malicious attacker that we identified does, in fact, have the credentials required to access the account. However, in this instance, Microsoft has prevented the malicious, authenticated user from doing anything post-login. In these situations, we recommend all users follow the advice in the alert message.

 

Where do I find my Conditional Access Rules?

Your Conditional Access rules can be found on the Azure portal. Detailed information about how to create and view these rules is also available in Microsoft’s documentation

 

Recommended remediation steps

  1. Notify the user as their credentials may be compromised.
  2. Microsoft recommends  the following actions be taken: Microsoft remediation documentation.  You might see the same event as a login failure in your logs if there is  any further protection enabled on the portal (such as conditional access rules) that might block the authentication on a later phase. At a minimum, we recommend a  reset of the user’s credentials because they are known by the attacker.
  3. Follow Microsoft’s process to set up multi-factor authentication.
  4. Follow Microsoft’s process to kill active sessions in O365 for each affected user.

 

How do I force the user to reset the password for the O365 account?

We recommend that you follow Microsoft’s process to reset passwords associated with all accounts involved in the breach.

 

How do I block the IP address in O365?

We recommend that you follow Microsoft’s process to block the attacker’s IP address via Configure connection filtering.

Additionally, we recommend that you implement location-based access restrictions if possible. Microsoft’s Conditional Access: ‘Block access by location’ is a valuable resource for implementing this.

 

Should I disable the account?

Disabling the account is not necessary if the guidance in the alert message is properly followed.

 

Should I verify this detection with the user? With ActZero?

We recommend that you ask the user whether the detected authentication events were legitimate. If you confirm that the account was, in fact, compromised, please verify this detection with ActZero by replying to the detection email. This feedback allows us to improve our machine learning model.

 

 

Recommended additional precautions

  1. Microsoft's suggested steps: https://docs.microsoft.com/en-us/archive/blogs/office365security/using-office-365-activity-data-to-improve-your-cybersecurity-stance-and-capability
  2. Configure anti malware protection in Exchange