Azure MFA yet: "Sign-ins from IP addresses that are anonymous, such as Tor IP addresses."

mike2401
mike2401 used Ask the Experts™
on
Our users are MFA'd but Azure reports: "Sign-ins from IP addresses that are anonymous, such as Tor IP addresses."

How is that possible?

I have 3 different users reporting this for location = Chelsea, NY, USA

YIKES!!!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
Commented:
This also includes any VPN service.

Sign-Ins from Tor or VPNs or any other NAT'ted systems should be accepted, as anyone concerned with security uses VPNs these days.

Likely there's some setting you can toggle to allow this type of login.

Author

Commented:
Our users do VPN, but it's to US (our VPN end-point (ASA VPN concentrator) is located here in Philadelphia, NOT in New York.

I supposed if a user was using something like Tunnel Bear VPN, that could be a case where he's not hacked, but the last user I checked has no computer skills to do anything like that.

Thx
Mike
Distinguished Expert 2018

Commented:
Unless you're going to block IPs related from networks like Tor with your conditional access policies, then things like that are prone to happen. However, this does make it more important that you enforce the usage of MFA. However, that's purely a decision you're going to need to make as a company.
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

btanExec Consultant
Distinguished Expert 2018

Commented:
An anonymous IP address is not a strong indication of an account compromise. If the user does not know why and have scan the machine for malware and found nothing.

 It is probably to check any past error log for possible correlation to see any relation to this event. Include the log of those enterprise firewall of the user machine situated. The ISP should not be using any Tor service per se for consumer services too.

Meanings there has been signs of other risk like sign-ins from unfamiliar locations or sign-ins from IP addresses with suspicious activity etc. Not much leads into this but to monitor further..but closely for other symptoms. Educate user on practising goos cyber hygiene.. Phishing email

Author

Commented:
As to "prone to happen" and my general confusion:

How can someone login from a TOR end point (or anywhere else) if they don't have the cell phone to receive the MFA code?
Distinguished Expert 2018

Commented:
How can someone login from a TOR end point (or anywhere else) if they don't have the cell phone to receive the MFA code?
Are they logging in without MFA? And if so, have you checked to ensure that 1) MFA is set up for the user, 2) only a known device is set up to the account(s), and 3) that conditional access rules are in place to ensure that MFA must be used outside of your organization's public IPs?

Author

Commented:
In Azure Active Directory, we have the users set as "Enforced".  We have 'white-listed' our office's IP so it doesn't keep asking for MFA when the user is in the office.

Is there some loop-hole I'm not thinking about?
btanExec Consultant
Distinguished Expert 2018

Commented:
May have to look at  conditional access policy. It set the access block or grant when anonymous IP is detected.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-sign-in-risk

Author

Commented:
Here's the latest:

The user successfully logged in, app= "Office 365 Exchange Online", MFA skipped due to IP address being that of our office (Philadelphia)

One hour later, 3,000 miles away in California, a successful login is shown:  app= "IOS Accounts" , "MFA requirement satisfied by claim in the token".

WTF?

What does that mean?

Author

Commented:
Thanks, everyone.

Turns out the user signed-up for Verizon's VPN protection for public WiFi spots ($3.99/month).

So, it wasn't a laptop VPN to our cisco vpn concentrator endpoint, but rather random endpoints around the country !!!

Author

Commented:
Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial