Failed attempts to login in Office 365 tenant
I am noticing in my Office 365 tenant that there are numerous "failed login attempts" on almost all the users in the company? Why does this typically happen and what should I do to protect the company? I'm wondering if its a bot trying to attempt a hack.
FYI, the main admin account is MFA so that is secure. Should I consider putting a limit on attempts to login? If so, how do I do that and will that prevent users from logging that currently have access?
FYI, the main admin account is MFA so that is secure. Should I consider putting a limit on attempts to login? If so, how do I do that and will that prevent users from logging that currently have access?
I would suggest applying Conditional access policies by restricting those IP addresses if its coming form a specific region.
This happens when someone use password spray attack.
This happens when someone use password spray attack.
Browse to portal.azure.com > Azure Active Directory > Singn-in
Download reports and filter for Failure status and see the Source.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
Download reports and filter for Failure status and see the Source.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
Easy fix, use one of the several Windows ports of Fail2Ban, such as https://github.com/glasnt/wail2ban or any other.
Fail2Ban works adaptively, on automatic, with no human intervention.
Just setup a rule to scan a log, then for any IP generating 3x bad logins over an hour or day or whatever time you like, block the IP for a day.
Fail2Ban works adaptively, on automatic, with no human intervention.
Just setup a rule to scan a log, then for any IP generating 3x bad logins over an hour or day or whatever time you like, block the IP for a day.
The best thing you can possibly do here is disable basic authentication (where possible), which is what bad actors are usually trying to exploit. You can start by doing this for Exchange Online, via auth policies: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online
Or in general create a company-wide CA policy that blocks legacy auth.
Or in general create a company-wide CA policy that blocks legacy auth.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial